All plugins suddenly deactivated because of invalid headers

Hi again,

trying to solve the issue I reinstalled the Wordfence plugin and did a scan. The plugin found that hundreds of cor files have been modified. Atz first glance they seem to have been added the following code right after the initail <?php.

Sounds familiar to anyone?

[Large chunk of obfuscated code moderated. Please do not post such code here.]

That sounds like you’ve been hacked. You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Anything less will probably result in the hacker walking straight back into your site again.

Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Same thing here.
Don’t have any of the plugins you mentioned.

https://92zew.net

tried the two suggested site checkers above with no malware detected. Secuuri did note firewall not found, but everything else is green.

and we are using GoDaddy.

There is something wrong with one of the plugins you installed. Don’t use the plugin causing issues. Someone has written some poor code causing issues on your site.

Smjohnson, does that extraneous code start with $dies. ?

$diesmdtmz

Femme please start your own thread and do not hijack this one.

Wow @evan, bloody brilliant advice. “Don’t use plugin causing issues.” Except, all my plugins were up-to-date and haven’t caused this kinda thing before. Thanks though for your insightful advice.

Anyhoo, the official moderator is correct in my case.
All PHP files have at least 3 pages of ‘that’ code. ALL of them.

might be relevant to this article posted 2 days ago. All plugins they mention I’ve been using for a while. https://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/

Had to fix by deleting all plugins, themes and wordpress.
Then re-installed wp and theme via FTP.

Still don’t have sites anywhere near what they were. But at least the code is stripped.

Apologies to the WP Moderators for my ‘hijacking’ the topic, that appeared to be the same to me. And still does.

FemmeFM, if you’re still having trouble, please do open your own thread. There are many reason for this, here are just a few:

1. No matter how much you think your issue may be the same, it rarely is. To quote the rules:

Unless you are using the same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme & configurations as the original poster, do not post in someone else’s thread. Start your own topic.

https://codex.www.ads-software.com/Forum_Welcome#Where_To_Post

2. smjohnson has subscribed to this thread via email, and I doubt she is too thrilled with receiving the last 5 emails from you regarding your own issue, much less if they were to continue.

So, FemmeFM, please help us all to help you, and open your own thread.

smjohnson, sorry for the intrusion, please do let us know how the advice from esmi goes for you. If you would like to re-open a different thread to start fresh, we completely understand, just leave a reply here with a link to your new thread if you do.

well then, my sincerest apologies for spamming smhjohnson.
I was just trying to help and give her some ideas. Didn’t realize the two issues had so many differences.
Next time, I just won’t bother, since people are so rude to someone just trying to help.

We do appreciate you trying to help, it’s just that if you want help for your own issue, we’d appreciate it if you opened your own thread.

@femmefm: The Code on my site started with

<?php $qnedbrboae =

About 350 files were infected.
I only noticed because WP deactivated the plugins.
But the core files were infected too.
I have no idea why the site was still working.

The Wordfence plugin was infeted and deactiovated, too, by the way (free version).

An interesting observation: A few days before the accident my provider showed me a ‘red light’ indicating heavy load on the server, to the extend that the website was unreachable so to say. Could have been a brute force attack? Will try to analyse the logs to find out.

MacManX and esmi, thank you for the hints. Read some of them and am in doubt whether this is manageable for a non-IT-expert. But let’s see.

It has happened again
This time it starts with

<?php $kbcsbfmaqp = 'c%x7825

and I can no longer login.

Hi, same here.
Codes are changing chaotic at the beginning. It happened to me on Thursday, same today. I returned backups, all the latest plugins and WordPress, and the same. I use Wordfence??? No way to determine from where is malware .. when I am scanning sites external, everything it’s ok??