Core WP files keep getting modified on first line

  • I rebuilt a website in a sub-folder for a restaurant that had their site hacked. The first thing I did was install the latest version of WordPress (3.9.2, a few weeks ago) and bulletproof security, along with Wordfence.

    The site seems to be operating fine, but my core WP files keep getting modified by something. It’s always on the first line after <?php. This happened once before and I thought a plugin caused it, so I cleaned up the plugins to only ones I absolutely needed and checked they were up to date. I ran Wordfence a few weeks ago and it pointed out the core files that were changed, so I could do a bulk repair and it restored the files.

    Today, I just noticed that they were all modified again! I ran Wordfence again, and this time, interestingly, it didn’t notice any changes.

    The pages start out like this: [ hacked snippet redacted, please do not share that part here ]

    It appears to be on every core php file. Any ideas how I can stop this? I can’t figure out why it’s happening or why Wordfence isn’t even seeing it anymore.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter mixmethods

    (@mixmethods)

    I should note that the hacked site content (in the root) still exists because I was borrowing from the old content to rebuild the site. I also now have a local mirror of the old site now, so I don’t need the old hacked site, and it’s not even possible to log into wp-admin on the old site.

    Is it possible that the site is being hacked via the existing hack on the root site? Would deleting all of the root WP install and then updating the new site (in the subfolder) to WordPress 4.0 remove the hacking threat?

    I too am curious as I’m getting this exact php injection across multiple sites with multiple users. Definitely not a username compromise, some sites have user registrations and wp-admin entirely blocked at the webserver level so I’m assuming it’s a php vulnerability.

    Installing plugins after a hack does not fix the hack. They cannot and never will not do that. Site security is more than a plugin. I suggest Sucuri to to fix the site. BTW, if the site is compromised, it may be also compromising each visitor. I strongly encourage you to not allow that to continue.

    Hi. This is the recent mailpoet exploit.

    Even if your website is not having any of outdated plugins, someone on the same machine might have mailpoet and making every website on the same server vulnerable.

    This article gives some more info about it: https://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

    There is at the moment not much you can do then except boot off those who are using the mailpoet or any related plugin. Esp make backups of a cleaned up site, and restore them as soon as you are hacked again.

    It’s pretty easy to clean this up, but only to detect by browsing the corefiles themself.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Core WP files keep getting modified on first line’ is closed to new replies.