Title: suspect malware Strange code in wp-config.php Last modified: August 30, 2016 --- # suspect malware Strange code in wp-config.php * Resolved [AdrianoAgri](https://wordpress.org/support/users/adrianoagri/) * (@adrianoagri) * [10 years, 10 months ago](https://wordpress.org/support/topic/suspect-malware-strange-code-in-wp-configphp/) * Hi, from a bit of time i have experiencing some changing in my blog styles view. To improve page speed i have installed a total cache plugin, but after a few days problem initiates, styling in admin dashboard and styling in login page and difficulties in styling frontend pages and post. others told me to disable caching css and js, so i have removed the cache plugin, but still remain the problem. So I start investigating my files, and i have found something very strange. I think it could be some kind of infection but i am not really sure. I have installed wordfence and now is running scan, waiting ending of process but no malware found( it says secure). but i have strange things in htacces file and in wp-config file. the htaccess is empty (only begin and end), no mod_rewrite.c section or else. The wp-config have to the beginning a strange piece of php functions set. i havem’t seen before in the other blog i have, so this is why i think it could be an infection. Today, i have tryied to access from my mobile and a redirection runs loading a strange page saying me that my android have a virus. these are the page i registered in my cronologies wonderlandads.com, mobile.bitterstrawberry.org,android.security- center.com that indicate that my smartphone was infected. (i have installed avira a scanned but no treats found) * I have tryied to replicate that thing but nothing happens, no visive modification to my blog or else. wordfence is still scanning my blog is very big. But for that function in the wp-config could you give me some advice? i have to delete? or not. * thanks * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/) Viewing 4 replies - 1 through 4 (of 4 total) * Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/) * (@wfmattr) * [10 years, 10 months ago](https://wordpress.org/support/topic/suspect-malware-strange-code-in-wp-configphp/#post-6375443) * If there is a function in your wp-config, that is definitely unusual — some hosting companies might put something in it. I would make a copy of the wp-config.php file as it is (download it so you have an original version in case of mistakes), and then delete the function. * There is a good guide to cleaning hacked sites here: [http://docs.wordfence.com/en/My_site_was_hacked._How_do_I_use_Wordfence_to_clean_it%3F](http://docs.wordfence.com/en/My_site_was_hacked._How_do_I_use_Wordfence_to_clean_it%3F) * If wp-config.php and are not caught in the Wordfence scan, can you send samples to samples [at] wordfence.com along with a link to this post? In the copy of the file that you send to us, you can delete the database username/password and salts. (Again, make sure to keep a copy of the original though.) * Thread Starter [AdrianoAgri](https://wordpress.org/support/users/adrianoagri/) * (@adrianoagri) * [10 years, 10 months ago](https://wordpress.org/support/topic/suspect-malware-strange-code-in-wp-configphp/#post-6375457) * HI WFMattR.. * after a while yesterday wordfence scan ends.. and yed wp-config was signed as malicius, but i have more file signed like txt file in which there is little variation respect the originals (eg. version of product) * now i proceed to clean the php section with functions and i send a copy of that function to samplesATwordfence.com * and then wait to see what happens.. thanks for help.. if i have more news (cause i know knews are right over the corner) i ask you again. * regards. * Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/) * (@wfmattr) * [10 years, 10 months ago](https://wordpress.org/support/topic/suspect-malware-strange-code-in-wp-configphp/#post-6375491) * Thanks for the update. * The .txt files that only have a change in the version number are usually caused by the plugin’s author updating their files without an official release on wordpress. org — it’s ok to let Wordfence replace those with the current version as well. * Thread Starter [AdrianoAgri](https://wordpress.org/support/users/adrianoagri/) * (@adrianoagri) * [10 years, 10 months ago](https://wordpress.org/support/topic/suspect-malware-strange-code-in-wp-configphp/#post-6375595) * Ok i have removed that code, and everythings returns normal… i have tested few days… and just 8 hour after i delete that code a strange problem with the database connection of my blog happens… now i have to ask to support of the provider if it was normal. or if there was an attack… * so thanks for your help and hint… and if support gave me some response i will post here for followers… * thanks WFMattR… Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘suspect malware Strange code in wp-config.php’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [infection](https://wordpress.org/support/topic-tag/infection/) * [wp-config.php](https://wordpress.org/support/topic-tag/wp-config-php/) * 4 replies * 2 participants * Last reply from: [AdrianoAgri](https://wordpress.org/support/users/adrianoagri/) * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/suspect-malware-strange-code-in-wp-configphp/#post-6375595) * Status: resolved