Wordfence reporting malicious code in functions.php

  • Resolved rolynoworse

    (@rolynoworse)


    8 years ago

    Wordfence keeps reporting the following:

    “This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “<?php\x0d\x0a\x0d\x0aif (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘4a38f631d3a9a27c5df46c96c4b0cc43’))\x0d\x0a\x09{\x0d\x0a\x09\x09switch ($_REQUEST[‘action’])\x0d\x0a\x09\x09\x09{\x0d\x0a\x09\x09\x09\x09case ‘get_all_l…”. The infection type is: Backdoor:PHP/get_all_links.”

    The functions.php file is integral to WordPress as far as I am aware and on examining the file I can’t see the quoted malicious code.

    Please can you advise?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter rolynoworse

    (@rolynoworse)

    Fixed

    gschaefer

    (@gschaefer)

    How did you resolve this? I am seeing the same issue appear on multiple WordPress sites and even after removing the infected files and replacing them with the original versions, the next day they are hacked again. I am running Wordfence and Securi both in a hardened state on a very secure private linux web server account so i’d love to know how this is happening?

    Thread Starter rolynoworse

    (@rolynoworse)

    I did a side-by-side comparison with the base functions.php file from the theme and only then did I manage to spot that there were some differences, however the warning thrown up by Wordfence was misleading as it contained several characters which didn’t appear in the file itself.

    Like you, I have the same issue appearing on multiple sites and am frustrated that this keeps happening. Wish I knew why…

    Sorry I can’t be of more help.

    luhas-wp

    (@sahulap)

    I have the same issue on all my sites even a child themes. What happend? How could I prevent this? Please help.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence reporting malicious code in functions.php’ is closed to new replies.

Tags