Title: perezbox's Replies | WordPress.org --- # perezbox [ ](https://wordpress.org/support/users/perezbox/) * [Profile](https://wordpress.org/support/users/perezbox/) * [Topics Started](https://wordpress.org/support/users/perezbox/topics/) * [Replies Created](https://wordpress.org/support/users/perezbox/replies/) * [Reviews Written](https://wordpress.org/support/users/perezbox/reviews/) * [Topics Replied To](https://wordpress.org/support/users/perezbox/replied-to/) * [Engagements](https://wordpress.org/support/users/perezbox/engagements/) * [Favorites](https://wordpress.org/support/users/perezbox/favorites/) Search replies: ## Forum Replies Created Viewing 15 replies - 1 through 15 (of 230 total) 1 [2](https://wordpress.org/support/users/perezbox/replies/page/2/?output_format=md) [3](https://wordpress.org/support/users/perezbox/replies/page/3/?output_format=md)… [14](https://wordpress.org/support/users/perezbox/replies/page/14/?output_format=md) [15](https://wordpress.org/support/users/perezbox/replies/page/15/?output_format=md) [16](https://wordpress.org/support/users/perezbox/replies/page/16/?output_format=md) [→](https://wordpress.org/support/users/perezbox/replies/page/2/?output_format=md) * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [wp-includes/simplepie/cache](https://wordpress.org/support/topic/wp-includessimplepiecache/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 4 months ago](https://wordpress.org/support/topic/wp-includessimplepiecache/#post-8699582) * Hi * Which subfolders specifically have filled up? Regardless of the folder though realize that if you have actions occurring on your domain that you did not authorize it’s usually a strong indicator that something is wrong. By wrong I mean, it’s a strong indicator that you’re dealing with a hack. Usually when folders get filled with junk it’s technique used with spam campaigns. * You might want to consider reading through this guide: [https://sucuri.net/guides/how-to-clean-hacked-wordpress](https://sucuri.net/guides/how-to-clean-hacked-wordpress) to help you think through the delousing process. * Thanks * Tony * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Chrome says my website contains malware?](https://wordpress.org/support/topic/chrome-says-my-website-contains-malware/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 4 months ago](https://wordpress.org/support/topic/chrome-says-my-website-contains-malware/#post-8698380) * Note that the Google blacklisted you, then the domain is blacklisted. Until you submit for a review the blacklist won’t go away. Even if you switch themes etc.. * FYI I just opened your site with no issue.. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Chrome says my website contains malware?](https://wordpress.org/support/topic/chrome-says-my-website-contains-malware/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 4 months ago](https://wordpress.org/support/topic/chrome-says-my-website-contains-malware/#post-8698318) * Hi @mahamnor * IT’s really going to depend on the type of warning you’re experiencing. Here is a guide that explains the different types of warnings: [https://sucuri.net/guides/what-is-google-blacklist](https://sucuri.net/guides/what-is-google-blacklist) * And a guide that walks you through the process of removing said warnings: [https://sucuri.net/guides/how-to-remove-google-blacklist-warning](https://sucuri.net/guides/how-to-remove-google-blacklist-warning) * There are different types, and it’s important to understand which is affecting you. Also, in the warning itself it will often tell you exactly why it’s being blocked.. for instance, if a malicious domain was injected it might be that the injected domain is blocked, but not your main domain, but it appears as it’s your site. If it’s phihsing, it’s fundamentally different as well. 🙂 * Hope this helps, and keep me posted. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Mysterious code in functions.php](https://wordpress.org/support/topic/mysterious-code-in-functions-php-2/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/mysterious-code-in-functions-php-2/#post-8279875) * Hi [@jansal](https://wordpress.org/support/users/jansal/) * Gotcha, if it’s newly added then it’s definitely malicious and it explains why it’s doing what it’s doing. I was asking if it was the entire function file because being unaware of the theme it’s hard to say if it’s talking to features the theme offers. Being it’s all new, and not part of the original theme, it’s safe to say it’s malicious.. 🙂 * On that note, see if this guide here helps: [https://sucuri.net/guides/how-to-clean-hacked-wordpress](https://sucuri.net/guides/how-to-clean-hacked-wordpress) something we put together to help website owners like yourself get things situated post-hack. * Good luck * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unknown code in Function.php file. How do I check for any malicious activity?](https://wordpress.org/support/topic/unknown-code-in-function-php-file-how-do-i-check-for-any-malicious-activity/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/unknown-code-in-function-php-file-how-do-i-check-for-any-malicious-activity/#post-8266661) * Hi [@reshampanth](https://wordpress.org/support/users/reshampanth/) * Would you mind sending me the pastebin to the code to [tony@sucuri.net](https://wordpress.org/support/users/perezbox/replies/tony@sucuri.net?output_format=md)? * Thanks * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Mysterious code in functions.php](https://wordpress.org/support/topic/mysterious-code-in-functions-php-2/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/mysterious-code-in-functions-php-2/#post-8266646) * Hi [@jansal](https://wordpress.org/support/users/jansal/) * Did you by chance copy the entire functions file for the theme here or only the part that was inserted? * Also, what theme are you using? Is it s premium or free theme? * Thanks * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [How to get rid of .bt hack?](https://wordpress.org/support/topic/how-to-get-rid-of-bt-hack/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/how-to-get-rid-of-bt-hack/#post-8259606) * Hi @flatterblog * Been talking to some of our researchers and if you can send us a sample of the. bt files that’d be really helpful. Would you be open to it? * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[WPtouch - Make your WordPress Website Mobile-Friendly] WPTouch Mobile site not working](https://wordpress.org/support/topic/wptouch-mobile-site-not-working/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/wptouch-mobile-site-not-working/#post-8259601) * Hi [@julie](https://wordpress.org/support/users/julie/) * Hard to say if it’s been hacked, but what you’re describing is what I would call a very strong indicator of a possible compromise. * Usually, when something starts to do something unexpected, and there hasn’t been an event that led to it (i.e., an update, configuration change, etc..) it’s usually a bad sign. But, one easy way to test would be to disable the plugin and open in mobile and see what happens. From what you describe, I’m not sure if it’s a plugin issue or a general issue. I’m obviously assuming no one on your team has made a change (including any updates, including core or other plugins). * Here is a guide that might help you troubleshoot: [https://sucuri.net/guides/how-to-clean-hacked-wordpress](https://sucuri.net/guides/how-to-clean-hacked-wordpress) * Tony * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Unusual probelm with wordpress](https://wordpress.org/support/topic/unusual-probelm-with-wordpress/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/unusual-probelm-with-wordpress/#post-8259593) * Hi [@bhopale](https://wordpress.org/support/users/bhopale/) * Activating / Deactivating plugins would definitely do the trick, but be mindful it’s a manual and in some instance a timely process. I would also check your widgets as well… * FYI – for what you described, changing hosts would not have done anything like you’ve seen. The issue is in the application, so if you moved the dirty application to another provider then you simply moved the issue. Another good place to look might be the database. * Here is a guide that might help as you troubleshoot: [https://sucuri.net/guides/how-to-clean-hacked-wordpress](https://sucuri.net/guides/how-to-clean-hacked-wordpress) * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Spam link injection on site: google check](https://wordpress.org/support/topic/spam-link-injection-on-site-google-check/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/spam-link-injection-on-site-google-check/#post-8259580) * Hi * So cleaning all those spammy references in the SERPs can be a real pain sometimes. You might be interested in this guide: [https://sucuri.net/guides/what-is-google-blacklist](https://sucuri.net/guides/what-is-google-blacklist) it helps explain the various Google warnings and blacklists. * Also, note that the Google blacklist is specific to malware distribution. Just because they removed it doesn’t mean that you weren’t also hit with a SEP attack( SEO Spam). SEO spam doesn’t necessarily generate a blacklist warning, but could generate a SERP notice. Not always though, so you could be showing dirty SERPs and not show a warning.. I know, it’s a mind meld sometimes. * With that in mind, see if this guide helps a bit: [https://sucuri.net/guides/how-to-clean-hacked-wordpress](https://sucuri.net/guides/how-to-clean-hacked-wordpress) * Normally if you submit for a review, if the SPAM injection was removed it would clear.. but it’s hard to say.. Also, try to see if any of the articles here will help: [https://blog.sucuri.net/category/website-seo-spam/](https://blog.sucuri.net/category/website-seo-spam/) * Thanks * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Many malicious and unknown files reported by WordFense](https://wordpress.org/support/topic/many-malicious-and-unknown-files-reported-by-wordfense/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/many-malicious-and-unknown-files-reported-by-wordfense/#post-8259563) * Hi Huriken * If all the files are in core directorie: /wp-admin and /wp-include I would download a fresh copy and replace with the new fresh copies. Don’t use the update feature in your dashboard as it won’t delete any existing files. * That will address issues in core directories, but not if there are other files. Here is a guide that might assist in that process: [https://sucuri.net/guides/how-to-clean-hacked-wordpress](https://sucuri.net/guides/how-to-clean-hacked-wordpress) * Good luck * Tony * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [How to get rid of .bt hack?](https://wordpress.org/support/topic/how-to-get-rid-of-bt-hack/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/how-to-get-rid-of-bt-hack/#post-8259524) * Hi @flatterblog * Gah, that sucks. * Here is an article that talks to a similar attack in which the code was being regenerated: [https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpress.html](https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpress.html) Not exactly the same as what you have, but I’m thinking it could help point you in the right direction. Have you checked your cron jobs, or maybe your theme files if there is code in there that is regenerated on load? * We’ve also put together this guide: [https://sucuri.net/guides/how-to-clean-hacked-wordpress](https://sucuri.net/guides/how-to-clean-hacked-wordpress) that you might find helpful as well. * Tony * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Website is hacked](https://wordpress.org/support/topic/website-is-hacked/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/website-is-hacked/#post-8259502) * Hi @atfech * It’d be really helpful if you consolidate all your comments into one, the best possible, instead of multiple single comments.. 🙂 It’d make it a lot easier for the volunteers to read, digest and help as needed. * First, in addition to the documents provided [@anevins](https://wordpress.org/support/users/anevins/), we’ve prepared a pretty comprehensive guide that should assist you locate what might be happening: [https://sucuri.net/guides/how-to-clean-hacked-wordpress](https://sucuri.net/guides/how-to-clean-hacked-wordpress) * So as to your questions: * 1 – Is there a way to prevent this hack? Ofcourse there are, but it’s difficult to know where to start with understanding what exists and what you’ve done. That hardening guide you provided is definitely a good place to start. * 2 – As for the vulnerabilities in WordPress, read that article WordPress – Understanding it’s True Vulnerability. Wrote it a few year ago, but still very applicable today. * 3 – To help prevent Brute Force attacks, you might want to consider a 2FA plugin that enables some form of multi factor authentication when someone is trying to log in. * Best of luck * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[GTM4WP - A Google Tag Manager (GTM) plugin for WordPress] Sucuri Shows Malware on GTM plugin](https://wordpress.org/support/topic/sucuri-shows-malware-on-gtm-plugin/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/sucuri-shows-malware-on-gtm-plugin/#post-8259476) * Hey [@duracelltomi](https://wordpress.org/support/users/duracelltomi/) * No worries.. 🙂 * Tony * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[GTM4WP - A Google Tag Manager (GTM) plugin for WordPress] Sucuri Shows Malware on GTM plugin](https://wordpress.org/support/topic/sucuri-shows-malware-on-gtm-plugin/) * [perezbox](https://wordpress.org/support/users/perezbox/) * (@perezbox) * [9 years, 8 months ago](https://wordpress.org/support/topic/sucuri-shows-malware-on-gtm-plugin/#post-8256927) * Hi * That’s actually a security warning, not a malware warning. It’s because the scan is returning a 500 error. This can be for a variety of reasons, doesn’t always mean they have malware. * Thanks Viewing 15 replies - 1 through 15 (of 230 total) 1 [2](https://wordpress.org/support/users/perezbox/replies/page/2/?output_format=md) [3](https://wordpress.org/support/users/perezbox/replies/page/3/?output_format=md)… [14](https://wordpress.org/support/users/perezbox/replies/page/14/?output_format=md) [15](https://wordpress.org/support/users/perezbox/replies/page/15/?output_format=md) [16](https://wordpress.org/support/users/perezbox/replies/page/16/?output_format=md) [→](https://wordpress.org/support/users/perezbox/replies/page/2/?output_format=md)