Malicious Files Found on Child Theme

  • My client’s hosting company did a scan and found a malicious file on the child theme:

    “functions.php: SiteLock-PHP-FILEHACKER-ann.UNOFFICIAL FOUND”

    I downloaded Wordfence and they also found:

    create_function(“”,base64_decode

    The last one was located in the ” wp-content/themes/oceanwp-child-theme-master/functions.php” file.

    Please help!

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • JCV

    (@psykonevro)

    You’ve been hacked, and need to clean the theme files. Both master and children. Perhaps much more.

    Hello @charique,

    We’re extremely sorry to hear about the issues you’re experiencing, but the OceanWP Child Theme does not contain any malicious files or codes. You can examine the child theme’s functions.php file directly on GitHub.

    So either you or your client have added some custom codes to it or the issue is coming from a third party plugin. In that case, I would suggest you export your Customizer settings via Theme Panel > Import/Export, switch to the Parent theme, delete the child theme, upload a new child theme, import .dat file previously exported.

    However, a good starting point would be to examine the functions.php file of your child theme and check if you have any other codes than the default codes, then remove theme. Although some alerts may be false positive, better be safe than sorry. If there aren’t any codes, then the issue is related to a plugin and the only way you can troubleshoot is by disabling all less known plugins one by one and running the scan after disabling each.

    Hope this helps and hope you’ll get the issue resolved soon

    Thread Starter charique

    (@charique)

    Thank you. I backed up her website and changed her website password to a strong password to prevent further damage.

    I then viewed the functions.php file in my client’s file manager.

    Then, I compared my client’s code to the child code on Github. On Github, I see 30 lines of code for the child theme and I see a massive glump of code before the child theme code on my client’s file manager.

    The corrupted files are in the functions.php file. To clarify, I should replace the child theme with a clean .dat file and place it in her file manager?

    • This reply was modified 4 years, 10 months ago by charique.
    • This reply was modified 4 years, 10 months ago by charique.
    Thread Starter charique

    (@charique)

    There was some modification made to the code but that was mainly to make the website password protected

    Hello @charique,

    The .dat file is to upload all Customizer settings into the new child theme.

    Please see these docs for reference:
    1. OceanWP Sample Child Theme
    2. Importing Parent Theme Settings

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Malicious Files Found on Child Theme’ is closed to new replies.