Title: Activating Plugins enables malicious code….
Last modified: August 19, 2016

---

# Activating Plugins enables malicious code….

 *  [tazatek](https://wordpress.org/support/users/tazatek/)
 * (@tazatek)
 * [16 years, 3 months ago](https://wordpress.org/support/topic/activating-plugins-enables-malicious-code/)
 * I’ve had a client contact me about a site that has been comprimised…
 * I currently have all plugins de-activated, and the bad code doesn’t present itself,
   but up activating a plugin (any plugin, even trusted ones) it is enabling some
   malicious code to be called via the wp_footer() call….
 * I’ve re-uploaded 2.9.1 to overright any system files, but did nothing to help.
 * I’ve searched for such strings as “document.write”, “base64” and “decode” without
   success in identifying where the malicious code is entering the stream.
 * When I first got the site back up, my AV alarms went off alerting me to the problem
   before I could even see it.
 * Any thoughts on where else I need to look for this?
 * The database is next for me to grep through, but thought I’d get some more opinions
   first…
 * Thanks
 * Matt

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [@mercime](https://wordpress.org/support/users/mercime/)
 * (@mercime)
 * [16 years, 3 months ago](https://wordpress.org/support/topic/activating-plugins-enables-malicious-code/#post-1384809)
 * Backup database, server files and folders, then export XML from site
 * Then read the following
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://ocaoimh.ie/did-your-wordpress-site-get-hacked/](http://ocaoimh.ie/did-your-wordpress-site-get-hacked/)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
 * When you’ve got it fixed
    [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
 *  Thread Starter [tazatek](https://wordpress.org/support/users/tazatek/)
 * (@tazatek)
 * [16 years, 3 months ago](https://wordpress.org/support/topic/activating-plugins-enables-malicious-code/#post-1384923)
 * Indeed, I’d tried all those things (except to export XML and restart from scratch)
 * I’m really wanting to identify WHERE the problem is… DB/Files have all been sorted
   through, and I’m not identifying any iframe/base64/etc anywhere.
 * I only know that when I activate a plugin (any of them) the malicious code shows
   up.
 * I’ll be exporting and restarting from scratch, but I’d still like to know where
   I could be looking for suspect code.
 * Thanks
 * Matt
 *  [@mercime](https://wordpress.org/support/users/mercime/)
 * (@mercime)
 * [16 years, 3 months ago](https://wordpress.org/support/topic/activating-plugins-enables-malicious-code/#post-1385031)
 * If you already went through all the ways to resolve the hack per all links I 
   gave you, I would go for exporting XML and starting from scratch.
 * To make sure that you’ve got a clean export, open up the XML file and double-
   check that there are no <script> tags within XML, there should be none. Then 
   might I suggest, create a free WordPress.com account and import the clean XML
   while checking “Include Media Attachment” during the process which could take
   more than one import if the file is large. That way, only clean image/media files
   are imported, and you can delete the whole wp-content folder which might contain
   images with backdoor scripts.
 * Export XML from WordPress.com and import to new install and include media attachments.
   Download/install plugins from repository. When all’s working well, delete WordPress.
   com free account to avoid duplication of content.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [16 years, 3 months ago](https://wordpress.org/support/topic/activating-plugins-enables-malicious-code/#post-1385075)
 * Have a look at [http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/](http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/)

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Activating Plugins enables malicious code….’ is closed to new replies.

## Tags

 * [hacked](https://wordpress.org/support/topic-tag/hacked/)
 * [malicious](https://wordpress.org/support/topic-tag/malicious/)

 * 4 replies
 * 3 participants
 * Last reply from: [esmi](https://wordpress.org/support/users/esmi/)
 * Last activity: [16 years, 3 months ago](https://wordpress.org/support/topic/activating-plugins-enables-malicious-code/#post-1385075)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics