proochster

I had the same problem recently. After investigating it I found it was done using injection method to gain access to the website. Injection is usually using weaknesses in badly coded themes and plugins and also badly set up files and folders permissions. You can read more about it on the blog post I mention below.

To fix the problem you can switch to another theme but this will solve the problem only temporarily – if it was done once it can be done again plus injected files are still there, waiting to be used.

In my case there was one ‘alien’ file in the root of my WordPress installation and another one within template folder. They are pretty easy to identify, they can look like this – a.php or this 34r.php. To double check you can download the file and open it in the notepad (don’t worry it’s not going to infect anything). It should begin like this <? eval(gzinflate(base64_decode( followed by a long, continous string that doesn’t make any sense. This is the a javacript application encoded with MIME base64. You should remove this file and any similar to it.

Now go to the theme folder (wp-content\themes\yourTemplateName) and delete your header.php. You can restore it from your latest backup or by applying the template again in the admin panel. Why do you have to do it? Your header has been modified to be a gate for uploading files directly to the server from where they can be executed (just like the files I mentioned above). You may have to check other themes for corrupted header.php files.

All these files mentioned above where injected to your blog just in one reason, to leave a signature in your index.php file. Your database and images should be intact. I found the a signature in the index.php in my root folder and I replaced it with this code (this is an unmodified WordPress code)

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>

Note: Use this code only for the index file in your root folder and only if it hasn’t been modified by you previously. If you find other indexes (nested deeper in your WordPress installation) you will have to restore them from the backup files or by reapplying the template if possible.

You should also check other index files just in case. Especially if you are running multiple WordPress’ installations.

If everything went OK your blog should be working fine now.

Finally you will have to look in to securing your website from any future attacks. To do that you just need to install few plugins which you can find here (they are not going to fix already attacked websites but will prevent from any future attacks):

https://blog.mellowhost.com/how-to-protect-your-wordpress-blog-from-web-injection.html

I hope that will help someone and please apologise any spellings (I spent last few hours on fixing my websites)

Keep your sites and yourself safe!