Title: wordpress exploit inserts <script> code?
Last modified: August 19, 2016

---

# wordpress exploit inserts <script> code?

 *  [mvettas](https://wordpress.org/support/users/mvettas/)
 * (@mvettas)
 * [17 years, 8 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/)
 * anyone aware of this? since i have installed wordpress on my server we have been
   attacked by what seems to be an exploit somewhere, code is being inserted into
   evey .html or .php page which either redirects to a site with a virus or simply
   renders the age useless giving visitors anti virus software warnings, i am not
   100% sue if it is due to wordpress but it seems to have only started after installation,
   i have just upgraded to the most recent wp so i am hoping this fixes it.
 * Any help or advise would be great
 * cheers
    michael

Viewing 13 replies - 1 through 13 (of 13 total)

 *  [macsoft3](https://wordpress.org/support/users/macsoft3/)
 * (@macsoft3)
 * [17 years, 8 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882429)
 * It’s no offense, but such exploitation takes place at hundreds of mismanaged 
   WP websites that I have seen here and there. A list of preventive measures is
   long. So I won’t mention them.
 * Good luck
 * T. Blue
 *  [Clayton James](https://wordpress.org/support/users/claytonjames/)
 * (@claytonjames)
 * [17 years, 8 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882436)
 * > A list of preventive measures is long. So I won’t mention them.
 * …of course not. No sense in doing that while responding to a request for help
   in a **_HELP FORUM!_ **
 * [@mvettas](https://wordpress.org/support/users/mvettas/),
 * Such exploitation actually takes place at hundreds of mismanaged sites _and servers_**
   regardless** of the Blogging/CMS platform being used. Updating your software 
   is crucial to staying proactive in mitigating any threat, but updating after 
   a successful breach rarely ever corrects the problem. If you search the forums
   using the keyword “hacked”, it will reveal a virtual road map of links, questions,
   answers, and insight from many individuals who have had to deal with the same
   effects of an intrusion as you are facing now. Review logs, check file and folder
   permissions, inspect databases for admin users you know should not exist, check
   directories for content that does not belong, verify the integrity of your ftp
   account information, and contact your host if you truly suspect that it is not
   WordPress related. That being said;
 * > i have just upgraded to the most recent wp so i am hoping this fixes it.
 * That suggests that you may have fallen behind in your diligence to keep WordPress
   updated, which suggests that perhaps you fell victim to a vulnerability in a 
   prior version. Spend some time using that knowledge in your search queries. I
   would bet that something you find may ring a bell of similarity with your current
   situation. Best of luck tracking it down.
 * Cj.
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882492)
 * In addition to the above suggestions…
 * Check your own computer for viruses and spyware (trojans can steal your passwords).
 * Check your .htaccess file. Sometimes those fake “anti viruses” add conditional
   redirects.
 * Try some exploit scanner like [WP Security Scan](http://wordpress.org/extend/plugins/wp-security-scan/)
   or [WordPress Exploit Scanner](http://ocaoimh.ie/exploit-scanner/).
 * –
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
 *  [poshcoffee](https://wordpress.org/support/users/poshcoffee/)
 * (@poshcoffee)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882530)
 * I’ve experienced much the same problem. I’ve contacted the host Midphase, and
   they seem about as excited about looking into this as they might be about going
   for a long walk in the Mojave desert in July.
 * I’ll download those security scans though and see if I can get to the bottom 
   of this.
 * > > A list of preventive measures is long. So I won’t mention them.
   > …of course not. No sense in doing that while responding to a request for help
   > in a HELP FORUM!
 * That made me laugh.
 *  [mikey1](https://wordpress.org/support/users/mikey1/)
 * (@mikey1)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882532)
 * I really do agree with Clayton.
 * > but updating after a successful breach rarely ever corrects the problem.
 * Once a site has been breachedd, upgrading can simply carry the problem with you.
   
   The biggest clue, is
 * > i have just upgraded to the most recent wp so i am hoping this fixes it.
 * [@mvettas](https://wordpress.org/support/users/mvettas/) I hope you manage to
   resolve it.
    Mike.
 * PS. If your users are getting anti virus warnings, it sounds like.
    advanced 
   xp defender. [http://wordpress.org/support/topic/182061?replies=30](http://wordpress.org/support/topic/182061?replies=30)
 *  [poshcoffee](https://wordpress.org/support/users/poshcoffee/)
 * (@poshcoffee)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882533)
 * So the answer then is to abandon the blog and domain entirely? Oh my word! 🙁
 *  [mikey1](https://wordpress.org/support/users/mikey1/)
 * (@mikey1)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882534)
 * Absolutely not !!
    If a blog has been exploited, it has to be fixed. In my experience
   a hosting company will never do this for you.
 *  [Clayton James](https://wordpress.org/support/users/claytonjames/)
 * (@claytonjames)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882535)
 * Is the site in this thread the one in question?
 * [http://wordpress.org/support/topic/213426?replies=1](http://wordpress.org/support/topic/213426?replies=1)
 * _I deleted wordpress
    I deleted her database and mysql user. I reinstalled wordpress
   using their one touch control panel, then reinstalled the theme (Dilectio) then
   the three or 4 plugins, then I manually reposted the 4 posts she had written.
 * That takes a lot of possibilities out of the equation. The only things I did 
   notice (this one completely unrelated) is that the dilectio theme is double nested.(
   for future reference). What did you think of that antileech.php plugin? I don’t
   know what version hers is, but I found a copy to download just to take a look
   inside. I did find some Base 64 encoding in it. I don’t know how those things
   work, but when I attempted to decode it, I got a binary file warning. Take that
   with a grain of salt, because I really can’t say if it serves a legitimate function
   or not, but the general community feeling on code obfuscation is not a good one.
   It might be worth looking into… and I am of course assuming that I downloaded
   the same plugin.. so, another grain of salt there. It might be worth a look. 
   Take a look in that error log in the plugins folder and see what that’s about
   as well. Then check access logs for unwanted activity. (no doubt there’s a lot
   of hits from me poking around for the last half hour or so, ignore me… I’ll go
   away).
 * Your friends version of WordPress still seems to be 2.6.1, so you may want to
   consider that as well. There were a couple of changes intended to mitigate sql
   vulnerabilities in the 2.6.2 upgrade, so is it possible that could be a factor?
   Who can say. There really isn’t a lot of content yet, so that’s actually a plus.
 * If it were me? …Wipe it clean again. ALL folders and files… check for hidden 
   ones as well with an ftp client. Save the posts again, reinstall clean with NO
   plugins other than akismet to start with, and watch to see what happens. Make
   sure your file and folder permissions are correct, and check your .htaccess permissions
   as well.
 * Best of luck to you.
 *  [poshcoffee](https://wordpress.org/support/users/poshcoffee/)
 * (@poshcoffee)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882537)
 * Hi Clayton,
 * Yes you assume correctly about Rachel’s as yet not very used blog.
 * Just to let you know, the malicious code is also on the default theme too, and
   I just noticed it in the html of the webalizer pages! Midphase promise they will
   look into this and, as I reverted to their one button instalation of wordpress
   which you rightly point out is only very 2.6.1, they will also be doing a system
   wide update of wordpress too.
 * My problem is that speaking to their tech support is painful as they seem unable
   to grasp what is going on. I’m having conversations that go something like this..
   
   MP “So you installed a script and it has a virus?” Me “No, no. There is a script
   at the footer of the HTML which appears to be malicious.” MP. Oh, ok I see now.”
   Me. “Great, so what do you suppose I can do about this?” MP. “Well sir, if you
   don’t want it you could try uninstalling it.”
 * When I deleted everything, I used FTP and I blanked the whole lot. I then ran
   their 1 button install which reinstalled everything from new. My guess at this
   stage is that this is something at there end.
 * In the meantime, it’s a long shot, but I poinsed the code that has been added
   maliciously to the site. I changed the call from ‘function’ to ‘funtoin’. That’s
   probably a waste of time, but I wondered if maybe this was being added manually
   and if so then a glance at that probably wouldn’t catch the typo. – Yeah I know,
   silly idea.
 * If Midphase don’t get on top of this before the weekend I will tell them we’re
   moving to a new host.
 *  [brew13](https://wordpress.org/support/users/brew13/)
 * (@brew13)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882543)
 * [@posh](https://wordpress.org/support/users/posh/) – It’s not good etiquette 
   to post links to websites that are known to be transmitting viruses to other 
   computers.
 *  Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/)
 * (@otto42)
 * WordPress.org Admin
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882545)
 * This shows you why it is important to keep backups of a site. So that if it gets
   hacked, you can go through them and restore to one before the hack.
 * And here’s the thing: A host is not really responsible for the content of your
   site. If you got hacked, then you need to fix it. They can’t fix it, because 
   they’re responsible for running the site. All the host is obliged to do is to
   check their logs and security and see if they can work out how the intruder got
   in.
 * This is another reason I hate one-click WordPress installs, BTW. People using
   these never understand how their site actually works, how FTP works, how WordPress
   works… Then they get hacked or something, and you tell them to fix it (when they
   are the ones that have to do so, because it’s actually their responsibility) 
   and that usually results in a blank stare. They have no idea what they are doing.
   They don’t know how their own website works. See, you have to actually _learn
   things_ to be a webmaster and run your own web site. This is not a plug-and-play
   operation, and it’s not like installing a piece of software on your home computer.
   This is not elitist or anything, it’s simply one of those facts of life deals.
 * The short version of restoring your site after a hack, if you didn’t make backups:
   
   1. Change all the passwords to the account itself. 2. Make a backup copy of everything
   on the site and everything in the database. Keep them. 3. Export a copy of the
   posts/comments/etc using WordPress’ Export feature. This is a relatively safe
   export, without malicious content in it. Usually. This is not a backup, it’s 
   a simple export. Pieces are missing from this, but it’s enough to get you up 
   and going again with a fresh install. 4. Erase the site completely. Do it manually.
   Database too. 5. Upload a new fresh copy of WordPress to the site. 6. Restore
   your export to the new WordPress by doing an Import. 7. Find the stuff that is
   missing (theme, etc) and restore those as well. Since you still have a complete
   backup of the site (step 2), then you have not lost anything, and can go through
   those files to find the hard-to-replace pieces. 8. After your site is working
   again, BACK IT UP THIS TIME. And do so every week or two.
 *  [poshcoffee](https://wordpress.org/support/users/poshcoffee/)
 * (@poshcoffee)
 * [17 years, 7 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882567)
 * @ brew13 – I don’t believe I actually linked to the blog that was affected. However,
   if I did then you’re indeed right, that was wrong and I unreservedly apologize.
 * It would seem that midphase have now fixed the problem. From what I can figure
   out from the limited information they have given me, they were hacked by someone
   who got hold of their list of ftp usernames and passwords.
 * That seems a little worrying to me, but maybe it can happen. Either way Rachel’s
   blog seems okay now.
 *  [riocalle](https://wordpress.org/support/users/riocalle/)
 * (@riocalle)
 * [17 years, 5 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882589)
 * i dunno wat to do now. i wasnt able to back up file on my two websites (www.ngkhai.
   net/cebu) , (www.ngkhai.net/bizdrivenlife). The web has been down for 2weeks 
   already and according to host, there were scripts inserted that the websites 
   have been exploited. any help wold be much appreciated.

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘wordpress exploit inserts <script> code?’ is closed to new replies.

 * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
 * 13 replies
 * 9 participants
 * Last reply from: [riocalle](https://wordpress.org/support/users/riocalle/)
 * Last activity: [17 years, 5 months ago](https://wordpress.org/support/topic/wordpress-exploit-inserts-ltscriptgt-code/#post-882589)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics