After updating all my plugins, having an active security backup and clearing all my spam mails and no unauthorised users, my WordPress site has once again been hacked. I have a spam URL showing under the main logo on my HP. Any suggestions on how to sort this out? Having looked in Editor at the .php files, I notice this string of code (pasted below) in my ‘Theme functions.php’ file. Is that spam or normal? Unfortunately I don’t code and don’t know what to look for!!
<?php
$wp_function_initialize = create_function('$a',strrev(';)a$(lave'));
$wp_function_initialize(strrev(';))"=owOp
[hacking code removed]
'g42bpR3YuVnZ"(edoced_46esab(lave'));?><?php
/*** Theme setup ***/
First. Follow this guide
However, the following has worked for me:
When you originally got hacked; changes were made to core WordPress files that adds that line to the
functions.phpfile if it doesn’t exist every time you load the page.My suggestion is to reinstall WordPress by going to
/wp-admin/update-core.phpand clicking Re-install NowThe problem could also exist in any one of your active plugins. Reinstall them.
Yes – you got hacked and this code snipped seems to be the “bad code” that was inserted by the hacker. Do you use MailPoet/wysija-Newsletters? This plugin was hacked twice last month.
Analyzing the code would take a few hours so it’s hard to say what it really does but it’s obvious that it’s nothing very nice since the author tried to “hide” the real code very well 😉 That’s nothing WordPress does itself so to answer this question: It’s not normal and very likely it’s not only spam.
Therefore you need to make sure that you clean every file that is infected. Since the code is in your theme reinstalling WP won’t help (I guess you don’t use the default theme).
If the inserted code is spread over many .php files and they are equal you may use a small Python script to check all .php files for the occurrence of the code. Otherwise it becomes a little bit harder to remove it completely.
The strrev(‘;)a$(lave’)) part of the code reverses the text to hide it. You will notice that “a$(lave” reversed is “eval($a”.
Search every file on your site for “eval(” and for “(lave”.
Valid code very seldom uses the eval function. It is just so open to abuse that it is avoided in WordPress and other well-written PHP scripts.
And if you see “lave” inside a strrev function, then you can be pretty sure that is malicious code.
I was just hacked in a very similar way to what you describe. I found your question while searching for more information, and I can pass on what I learned.
For repairing this particular problem:
To make this easier in the future, always keep an entire copy of your website on your personal computer. I use a tool called Beyond Compare that will show me all files with differences between the files on my website and those on my computer. It will also show the differences within each individual file. This makes it easy to compare and fix the files that have been hacked. I actually use Beyond Compare as my FTP tool to upload my non-WordPress changes to my website.
This is the first time my WordPress site has been hacked in a number of years. My experience and hope is that this might be a fly-by one-time thing that will have been fixed after I go back to the pre-hacked code. Generally, WordPress keeps its code clean and fixes exploits, so that old hacks won’t happen again. But you may have plugins or themes where the hacks have got in and can get in again in the future. It is worthwhile, trying to research the method of exploit and fix the backdoor to prevent it. I’m not sure the best way to do this research, but my finding this question was part of my research.
I hope these ideas help you, or any other passersby who have the same problem as we have.