Title: wp-apps.php hack Last modified: August 20, 2016 --- # wp-apps.php hack * [surfintica](https://wordpress.org/support/users/surfintica/) * (@surfintica) * [13 years, 6 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/) * My server has been infected by these files * wp-apps.php wp-count.php * Our host said to update all plugins and WordPress core files but even after that it is still returning to the sites root install * Once it is there, it changes the Themes folder footer.php file and adds * `` * This actually occurs on the WP installs that are most current. I have a 2.8.5 installs for many sites and not one of them get infected like the 3.4.1 and 3.4.2 versions * Anyone have any idea of how to contain this? Viewing 12 replies - 1 through 12 (of 12 total) * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [13 years, 6 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052506) * You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Additional Resources: [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * Thread Starter [surfintica](https://wordpress.org/support/users/surfintica/) * (@surfintica) * [13 years, 6 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052608) * Funny but we paid $189 to Sucuri and they keep claiming to fix the problem but it keeps coming back to the very same site. * Also their scanners do not see any malware. * This is a pervasive issue that is coming from somewhere in the code. All themes using timthumb have been hardened * [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) 3 years old * All others have tried except secret key in wp-config.php file * [mfleysher](https://wordpress.org/support/users/mfleysher/) * (@mfleysher) * [12 years, 10 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052692) * Hello, I’m having this same issue, and it’s coming back every month, please help!! * [WPyogi](https://wordpress.org/support/users/wpyogi/) * (@wpyogi) * [12 years, 10 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052693) * **[@mfleysher](https://wordpress.org/support/users/mfleysher/)** – if it keeps coming back, you’re not getting it completely cleaned up or some backdoor is being left open. Did you go through ALL of those articles listed above? * Perhaps you should consider paying someone to help you – Securi is quite well regarded or you can post a job listing here: * [http://jobs.wordpress.net/](http://jobs.wordpress.net/) * We really don’t recommend responding to any offers of help (paid or not) from people you don’t know from a public forum. * Thread Starter [surfintica](https://wordpress.org/support/users/surfintica/) * (@surfintica) * [12 years, 10 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052694) * [@mfleysher](https://wordpress.org/support/users/mfleysher/) * How I was able to eliminate the problem once and for all, was to keep the files in the install folder. BUT I deleted all of the content in each file. So the hack cannot re-create the file since there already exists the same file it is trying to create. * Do this and it will go away. * BTW I performed all of the suggestions in the links above but none of them worked. And Sucuri might be well regarded but they did nothing to resolve this problem. NOTHING for $189 per year. * I ended up hardening all sites using Better WordPress Security or something like that and I have not had one problem since then. * [SOLVM](https://wordpress.org/support/users/solvm/) * (@solvm) * [12 years, 9 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052695) * [@surfintica](https://wordpress.org/support/users/surfintica/) * Interesting solution. I will have to try that. * The WordFence plugin used to find and fix these, but it hasn’t detected these lately. The Surucci scan and plugin has never found these wp-apps and wp-count hacks. * [Pioneer Web Design](https://wordpress.org/support/users/swansonphotos/) * (@swansonphotos) * [12 years, 9 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052696) * Since this thread has not posted a link to the url (infected site) for others to review, can’t we all just use it a _utter speculation_ (at best, or a point missed?) * [bonaventuradibello](https://wordpress.org/support/users/bonaventuradibello/) * (@bonaventuradibello) * [12 years, 9 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052697) * [@surfintica](https://wordpress.org/support/users/surfintica/) * I had the same infection three times, on three website protected by Better WordPress Security, while using all measures suggested by the web hoster and other services. I’m at my third ‘cleaning’ and restoring of the websites now, and going to adoptyour suggestion which seems very logical (thanks, btw!), I just added a 444 to them for better protection against rewriting or deletion, hope this helps too. * [@everybody](https://wordpress.org/support/users/everybody/) * The infection doesn’t just create the wp-count and wp-apps fake and infected files, it also modifies the theme’s footer (and header, sometimes) and infects some other WordPress system files, so a general update to the CMS, plugins and themes is always advisable in these cases. Hope this helps, please keep the thread update about your experiences if possibile, thanks! * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [12 years, 9 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052698) * > I’m at my third ‘cleaning’ and restoring of the websites now * You’re not closing the door that the attacker is walking in via. It’s a often repeated set of links but here goes (again): * You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Anything less will probably result in the hacker walking straight back into your site again. * Additional Resources: [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress) [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * > Hope this helps, please keep the thread update about your experiences if possibile, > thanks! * No don’t do that. Really don’t. * Everyone’s installation is different. They’re on different hosts, with different versions of PHP, with different PHP configs, etc. Keeping all these “I’m hacked!” replies on one thread doesn’t do anything to address the problem that you are having. * If you keep getting hacked even after performing all the steps listed above then consider changing hosts. It’s the one thing that you may not be able to control and switching to another host may be your last and only option. * That or you’re not finding the means that the attacker made it into your system. If you don’t close the door on the attackers then it doesn’t matter what you do. They’ll just keep coming back. * [bonaventuradibello](https://wordpress.org/support/users/bonaventuradibello/) * (@bonaventuradibello) * [12 years, 9 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052699) * [@jan](https://wordpress.org/support/users/jan/), just keeping posting those URLS doesn’t solve the problems, users need help in figuring out the specific issue, for example hints like these: [http://www.krizalys.com/article/multi-wordpress-hack](http://www.krizalys.com/article/multi-wordpress-hack) I know everyone has a different server configuration and so on, but attacks like this have common issues and working together in finding them and helping each other to solve the problem is what the community needs, not just a list of URLs with generic advice about security. Sorry for being a little rude, but this is the truth, right now. * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [12 years, 9 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052700) * Really? How far did you get with those links? The link that you posted does not contain a proof-of-concept and doesn’t even explain how the exploit happened. * > I know everyone has a different server configuration and so on * Exactly and that was the point of this paragraph. * > Everyone’s installation is different. They’re on different hosts, with different > versions of PHP, with different PHP configs, etc. Keeping all these “I’m hacked!” > replies on one thread doesn’t do anything to address the problem that you are > having. * Aside from you not successfully delousing your installation is this common to a VPS/dedicated server, a shared hosting on one server plan, using suPHP, nginx, Apache2, lighttpd, an exploit that was covered in the 3.5.2 security update, it is a plugin exploit, is it something inherent to a theme or theme provider framework? * See what I mean? Playing pile on the topic doesn’t help the original poster or anyone else for that matter. * > Sorry for being a little rude, but this is the truth, right now. * Being rude within limits is acceptable. Arguing with forum moderators? Not really a good idea. And your “truth” really is not a solution either. * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [12 years, 9 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052701) * > just keeping posting those URLS doesn’t solve the problems, users need help > in figuring out the specific issue * Sorry, but all we can do is give advice. We are all volunteers here and if the advice we give is not to a standard you accept then you are welcome to use a paid service like [Code Poet](http://directory.codepoet.com/browse/services/support-troubleshooting/). * > but attacks like this have common issues * Even if your issue was exactly the same as the original posters, piggy-backing off someone else’s support is not something we encourage here. Be polite and create your own thread to discuss your own issue. Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘wp-apps.php hack’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 12 replies * 9 participants * Last reply from: [Andrew Nevins](https://wordpress.org/support/users/anevins/) * Last activity: [12 years, 9 months ago](https://wordpress.org/support/topic/wp-appsphp-hack/#post-3052701) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics