Title: Suspicious code in header.php
Last modified: September 1, 2016

---

# Suspicious code in header.php

 *  [madjenja](https://wordpress.org/support/users/madjenja/)
 * (@madjenja)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/suspicious-code-in-headerphp/)
 * Site had been hacked about two months ago. Upgraded to Premium Plan with VaultPress
   as part of remediation and things seem all good.
 * Digging in themes/Portafolio/header.php and found what looks to be cookie-tracking
   code.
 * Can anyone verify that the following code is not supposed to be there? Have put
   it in comments and nothing broke but want to be sure…
 *     ```
       [moderated - don't post hacking code]
       ```
   

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Thread Starter [madjenja](https://wordpress.org/support/users/madjenja/)
 * (@madjenja)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/suspicious-code-in-headerphp/#post-7616866)
 * Specifically, the following snippet is what tipped me off:
 *     ```
       http://22degrees.co.nz/wp/wp-content/themes/lightweight/main.php";echo "\n";echo
       "http://alf-mutschelbach.de/wp-content/themes/lightweight/track.php";echo "\n";echo
       "http://newsweetpix.com/assets/track.php";echo "\n";echo
       "http://fugitif.eu/wp-content/themes/lightweight/atom-conf.php";echo "\n";echo
       "http://morrow-technologies.com/wp-content/themes/lightweight/inc.php
       ```
   
 *  [kmessinger](https://wordpress.org/support/users/kmessinger/)
 * (@kmessinger)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/suspicious-code-in-headerphp/#post-7616871)
 * Run your site through this,
    [https://sitecheck.sucuri.net//](https://sitecheck.sucuri.net//)
 *  Thread Starter [madjenja](https://wordpress.org/support/users/madjenja/)
 * (@madjenja)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/suspicious-code-in-headerphp/#post-7616879)
 * Thanks kmessinger I have used that scan in the past but it didn’t pick up everything.
   VaultPress did pick up more, but again it didn’t catch all the injected code.
 * Apparently its hard to detect some injected code…

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Suspicious code in header.php’ is closed to new replies.

## Tags

 * [cookie](https://wordpress.org/support/topic-tag/cookie/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 2 participants
 * Last reply from: [madjenja](https://wordpress.org/support/users/madjenja/)
 * Last activity: [9 years, 10 months ago](https://wordpress.org/support/topic/suspicious-code-in-headerphp/#post-7616879)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics