Problem occurred right after I install some themes

Are you using the “Frisco for buddypress” Theme… ????
If Not try to delete it from your FTP …
I hope this could work

Are you using the “Frisco for buddypress” Theme… ????
If Not try to delete it from your FTP …
I hope this could work

Hi Ishaan,

Yes I’m using the Frisco theme. I just deleted it and download, reinstall it again. Now my main site is working fine. However the users on my site, because they each use different themes, their own page are still showing those warnings… These themes are somehow ‘polluted’ with this code:

<?php
include_once ('includes/custompost.php');
?>

which is inserted at the end of the functions.php file. Meanwhile, there are some themes that aren’t polluted and I find they this functions folder in their theme folder which I assume is the reason they are not polluted..

Does anyone know what the above code mean and do I have to clean every one of my theme?

The other warning which doesn’t have to do with themes :

Warning: Cannot modify header information – headers already sent by (output started at /home/swotong/public_html/bluewhalefamily.com/wp-content/themes/frisco-for-buddypress/functions.php:270) in /home/swotong/public_html/bluewhalefamily.com/wp-includes/pluggable.php on line 866

This seems to be solved after I go to the line that cause error

header("Location: $location", true, $status);

I just change the above ‘true’ into false and this warning haven’t appeared so far…I don’t really what I’m doing though…Really appreciate it if some one can tell me what this line mean and if that’s the right way to solve the problem..

Thank you!

Does anyone know how I can search and delete that same virus code in all my themes conveniently? I have hundreds of themes in my site so it will take me a long time to delete that code one by one….

<?php
include_once ('includes/custompost.php');
?>

Hundreds of themes? Whoa.

It really is better to replace the whole works from the sources then hunt and edit, even with a script. Especially when you consider that you’ll be extracting only the code you know about and not the other code hiding there too.

I mean, if you are going to try to script that then you can script deleting the suspect theme, downloading a clean copy, and extract it into the correct location.

Even that wouldn’t close the door the attacker came in via.

You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
Hardening WordPress
https://www.studiopress.com/tips/wordpress-site-security.htm

Thank you Jan! I’ll reinstall these themes…and be more careful with the themes in the future for sure.

I’m really worried when you said it might be hacked…I downloaded those three themes(iphoto/photum/graphictheme) from this website https://devstand.com/design/pinterest-wordpress-themes/ Is that a suspicious website?

I personally feel it’s more like a incompatible issue (maybe only occurs when it comes to wordpress MU or buddypress)rather than a malicious attack because pinterest style theme seem to have some special feature for example showing more images when you drag down to the bottom of the page etc. but you are right…it shouldn’t touch the functions.php file of other themes…Anyway I don’t have any experience in dealing with hackers at all so maybe I’m just trying to comfort myself I’m not hacked…

I’m not familiar with that site or their themes but the one I downloaded and looked at briefly looked alright to me.

That’s not a deep dive or anything, just a 2 minute look-see. ??

it shouldn’t touch the functions.php file of other themes

That’s reason I think you may want to consider if you are hacked or not. A theme or plugin shouldn’t go around modifying other people’s code, especially without asking. That’s a pretty good description of a hack.

I forgot to finish this thread…
Conclusion:
The problem comes from ‘photum’ it inserts that line of script to all my themes at the end of functions.php . No other harms. Once I take away that script in all my themes, they work fine.

It’s probably because I’m using multisites because others seem don’t have this problem.

Btw Iphoto is a really cool theme but it’s not compatible with WordPress mu either according to my experiments, it doesn’t insert codes to other themes though ??

FYI
I’m running a single WP site and same happened with me when trying some pinterest alike themes.

Glad to pinpoint the bugger

Thanks for your shares

I had the exact same problem with photum under a multisite environment. I thought I was hacked. Obviously, not.

I’m deleting that theme. Ridiculous.

glad it helps~

I can confirm, I had the exact same problem with the Photum theme…