My WordPress Site Hacked With Hidden Payday Loan Code

If your site has been hacked, these are the recommended resources:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

to getlocal.. I had the same problem… it did not show up on IE9 or Chrome. However, it did show in the code and on older browsers. I finally found it by going ftp to our site and show everything in order by date. Turned out the header.php had been modified. I opened the code and there was the culprit. Removed the offending code and the problem was fixed. Now I need to change my ftp password.

You need to go through all the recommended steps in the articles above to make sure your site is totally clean and as secure as possible against repeat hacks. Simply removing the bad code is not sufficient in many cases.

Hi there,

I have been experiencing a similar problem as above and have read through all of the documentation provided – thank you. I, too, was getting Payday loan script above my website header and found the code to get rid of in my header.php, however, I am now experiencing another issue with it. When I go to post my website url in a Facebook post https://www.travelagentrevolution.com, I get the following summary as Payday loans: [removed – no need to post that here]
I have found some strange code in my import_settings.php that includes the words global, base64_encode and a series of letters and numbers (info is based on the ottopress link above), however, when I contacted my theme provider, Elegant themes, they told me the code was safe and to do a new install of the theme. I have done that but I still get the same issue. I’m pretty certain I have been hacked and the code is hidden here or in another .php file (I haven’t found anything else unusual) but I do not know what code I need to keep and what to remove. I tried removing some of it and I got a Parse Error with the theme. I am hosted by GoDaddy, not sure if this may be the issue based on some of the reading I have been doing. Here is the code from my import_settings.php, can anyone see if this is my issue and, if yes, what part do I remove?
Thank you for your help!
Cheri

[Do not post hacked code here, please]

Yes, unfortunately it sounds like your site has been hacked – and yes, it was very likely due to GoDaddy’s servers being hacked – it happened to many people. You need to go through all the links posted above. You may want to consider hiring someone if you can’t do it yourself. Securi (link above) is well regarded.

Thank you for your quick reply! I do have a paid account with Securi but their reports say my site is fine??? I will email them again and see what is up and will need to hire someone to clean up this mess. Also, I am hosted with GoDaddy but do you recommend a better, more secure host?

Hmm, well that’s strange and there might be another reason that’s happening. But given that so many people on GoDaddy got hacked with Payday Loans code, it seems awfully suspicious. The Securi scanner doesn’t pick up everything, so that may be the issue.

Personally, yes, I would find another host :). These are the officially recommended ones: https://www.ads-software.com/hosting/

But because of the spam they attract, per forum policy we have to close threads that get into hosting recommendations – sorry. If you need to open another thread on another topic, please feel free. Though the hacked question will likely be answered as it already has been here.