Title: Attack
Last modified: March 4, 2017

---

# Attack

 *  Resolved [Rik0399](https://wordpress.org/support/users/rik0399/)
 * (@rik0399)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/)
 * All my sites are down…
 * This is what WF generated …
 * Alert generated at Friday 3rd of March 2017 at 05:19:27 PM
    Critical Problems:
 * * File appears to be malicious: wp-content/themes/theme1/functions.php
 * * File appears to be malicious: wp-content/theme1/variant-landing-page/functions.
   php
 * Database not connecting, sites not loading
 * Any ideas please?

Viewing 9 replies - 1 through 9 (of 9 total)

 *  Thread Starter [Rik0399](https://wordpress.org/support/users/rik0399/)
 * (@rik0399)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/#post-8872898)
 * Further to my last, here is what WF is reporting :
 * File appears to be malicious: wp-content/themes/accesspress-store/functions.php
   
   Filename: wp-content/themes/accesspress-store/functions.php File type: Not a 
   core, theme or plugin file. Issue first detected: 1 min ago. Severity: Critical
   Status New This file appears to be installed by a hacker to perform malicious
   activity. If you know about this file you can choose to ignore it to exclude 
   it from future scans. The text we found in this file that matches a known malicious
   file is: “<?php\x0a\x0aif (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’])&&(
   $_REQUEST[‘password’] == ‘9567573b5a1ccfe552821463c81e6437’))\x0a\x09{\x0a\x09\
   x09switch ($_REQUEST[‘action’])\x0a\x09\x09\x09{\x0a\x09\x09\x09\x09case ‘get_all_links'”.
   The infection type is: Backdoor:PHP/get_all_links.
 *  Thread Starter [Rik0399](https://wordpress.org/support/users/rik0399/)
 * (@rik0399)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/#post-8872902)
 * So should I replace/restore ‘functions.php’ with the original file?
 * Thanks
 *  [luhas-wp](https://wordpress.org/support/users/sahulap/)
 * (@sahulap)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/#post-8878520)
 * The same here. All sites infected. Please help! Thanks.
 *  Thread Starter [Rik0399](https://wordpress.org/support/users/rik0399/)
 * (@rik0399)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/#post-8879811)
 * [@sahulap](https://wordpress.org/support/users/sahulap/)
 * It seems that the theme was hacked and a uploaded malicious file,
 * This is what I did to resolve the matter :
 * (This is really easy to do, simply follow the steps)
 * 1) Made sure I had a backup,
 * 2) DO NOT DELETE DATABASE
 * 3) Deleted/Backed up plugins and uploads dir,
 * 4) Deleted WP and did a fresh install – DO THIS FROM YOUR CPANEL and NOT ftp!
 * 5) Uploaded the original theme,
 * Then …
 * 1) Changed the database details in ‘config.php’ to reflect the database, replacing
   the new WP database details that it created when I did a new install.
 * 2) Install WF but then check the options and check ‘remove tables’ then ‘deactivate’
   it so it removes ‘existing’ wf tables. Then, reactivate it to create ‘new’ tables.
 * 3) Now, I discovered a clever function in WF – in options, look for ‘Disable 
   Code Execution for Uploads directory’ at the button and ‘check’ it. This is where
   I believe the malicious code was added.
 * By checking ‘Disable Code Execution for Uploads directory’ this will stop and
   code from being executed.
 * 4) Put the uploads dir back in replacing new one,
 * 5) Uploaded the plugins dir then one by one, activate and check that its ok and
   do this for the rest.
 * 6) When you setup WF, make sure you also setup the ‘firewall’ correctly although
   at the time of writing, its a bugger to get this to work right with .htaccess
   file.
 * 7) Run a WF ‘complete’ scan
 * Done!
 * Worked for me!
 * HTH
    -  This reply was modified 9 years, 3 months ago by [Rik0399](https://wordpress.org/support/users/rik0399/).
 *  [barnez](https://wordpress.org/support/users/pidengmor/)
 * (@pidengmor)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/#post-8881102)
 * I would add to that list:
 * – scan your local machine for malware
    – check and remove any unknown administrator
   level users in the WordPress dashboard >> Users and/or in the database – change*
   all* passwords (WordPress dashboard/cPanel/[MYSQL database](https://wordpress.org/support/topic/changing-mysql-database-password?replies=7))
   for unique strong versions (15-20 characters) that include special characters
   such as: **(\*&^%£:@_+** – [change your salt keys](http://www.wpbeginner.com/beginners-guide/what-why-and-hows-of-wordpress-security-keys/)
   in your `wp-config.php` file to log out all existing users
 *  Thread Starter [Rik0399](https://wordpress.org/support/users/rik0399/)
 * (@rik0399)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/#post-8881217)
 * @barnez
 * Agreed 😉
 *  [wfalaa](https://wordpress.org/support/users/wfalaa/)
 * (@wfalaa)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/#post-8882041)
 * Hi [@rik0399](https://wordpress.org/support/users/rik0399/)
    Glad to hear that
   you managed to clean your website from this infection, I just want to let you
   know that we had a guide regarding “[How to Clean a Hacked WordPress Site using Wordfence](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/)”
   which is too close to what you have done here, also it’s worth to to take a look
   at “[How to Harden Your WordPress Site From Attacks](https://www.wordfence.com/learn/how-to-harden-wordpress-sites/)”
   for some great tips that could prevent this attack from happening again, some
   of these tips were already mentioned by [@pidengmor](https://wordpress.org/support/users/pidengmor/)“
   thanks!”.
 * Thanks.
 *  [luhas-wp](https://wordpress.org/support/users/sahulap/)
 * (@sahulap)
 * [9 years, 3 months ago](https://wordpress.org/support/topic/attack-2/#post-8884868)
 * Thank you very much for your help.
 *  [Deetech](https://wordpress.org/support/users/tech-tic/)
 * (@tech-tic)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/attack-2/#post-9074054)
 * Same issue. I compared to a normal functions.php file that and you see the code
   on top of the suspicious file is actually not supposed to be there.
 * I also deleted wp-cd.php files (as godaddy rightly pointed) and removed the top
   one php line in post.php (also flagged by wp)
 * What I could not figure yet is what caused the breach?
    All the functions.php
   files in one hosting account were affected, including the non-active themes. 
   I’ve fixed it for now but want to secure it for the future.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Attack’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 9 replies
 * 5 participants
 * Last reply from: [Deetech](https://wordpress.org/support/users/tech-tic/)
 * Last activity: [9 years, 1 month ago](https://wordpress.org/support/topic/attack-2/#post-9074054)
 * Status: resolved