Title: wp-admin.php probably hacking
Last modified: February 27, 2018

---

# wp-admin.php probably hacking

 *  [christiancannata](https://wordpress.org/support/users/christiancannata/)
 * (@christiancannata)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/wp-admin-php-probably-hacking/)
 * Hi guys, every night some files in my wordpress folders are modified with 4 code
   rows on the top of the files, and an original file is copied as (example: admin-
   ajax.php.backup)
 * The code is here:
 * <?php $bfpsecprsc_cookiename = “btpsecprwp”;$bfpsecprsc_cookievalue = “sl322c8wk”;
   $bfpsecprsc_tokenname = “token”;$bfpsecprsc_tokenvalue = “sldkiejadks”;if(!isset(
   $_COOKIE[$bfpsecprsc_cookiename])){if($_GET[$bfpsecprsc_tokenname]==$bfpsecprsc_tokenvalue){
   setcookie($bfpsecprsc_cookiename, $bfpsecprsc_cookievalue, time() + 432000);header(“
   Location: [http://&#8221](http://&#8221); . $_SERVER[‘SERVER_NAME’] . $_SERVER[‘
   SCRIPT_NAME’] . “?” . str_replace($bfpsecprsc_tokenname . “=” . $bfpsecprsc_tokenvalue.“&”,“”,
   $_SERVER[‘QUERY_STRING’]));return;}header(“HTTP/1.0 404 Not Found”);$bfpsecprsc_redirecturl
   = “[http://&#8221](http://&#8221); . $_SERVER[‘SERVER_NAME’] . $_SERVER[‘SCRIPT_NAME’].“?”.
   $bfpsecprsc_tokenname . “=” . $bfpsecprsc_tokenvalue . “&” . $_SERVER[‘QUERY_STRING’];
   $bfpsecprsc_redirecthtml = “<!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”
   >\n<html>\n<head>\n<title>…</title>\n<meta http-equiv=\”refresh\” content=\”2;
   url=” . $bfpsecprsc_redirecturl . “\”></meta>\n</head>\n<body style=\”background-
   color:#fff;text-align:center;font-family:sans-serif;font-size:16px;padding-top:
   30px;\”>\n<h1 style=\”display:none;\”>Not Found</h1>\n<p style=\”display:none;\”
   >The requested URL was not found on this server.</p><p style=\”font-size:20px;
   margin-bottom:15px;\”>Caricamento in corso…</p><p>Se la pagina non viene caricata
   entro pochi secondi, assicurati di avere i cookies abilitati, quindi prova a 
   ricaricare la pagina.</p>\n</body>\n</html>”;echo ($bfpsecprsc_redirecthtml);
   return;} ?>
 * I have Sucuri Plugin, Backdoor scanner and antimalware, setted permission only
   read and no write but every night at 2:00 are modified, can someone help me?

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [Rajan Vijayan](https://wordpress.org/support/users/rajanit2000/)
 * (@rajanit2000)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/wp-admin-php-probably-hacking/#post-10019104)
 * Hi @christiancannat.,
 * Remain calm and carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked).
   When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress).
 *  [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * (@anevins)
 * WCLDN 2018 Contributor | Volunteer support
 * [8 years, 3 months ago](https://wordpress.org/support/topic/wp-admin-php-probably-hacking/#post-10019110)
 * > I have Sucuri Plugin, Backdoor scanner and antimalware, setted permission only
   > read and no write
 * Doesn’t matter, you are already hacked. Security plugins do not fix hacked websites.
 *  Thread Starter [christiancannata](https://wordpress.org/support/users/christiancannata/)
 * (@christiancannata)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/wp-admin-php-probably-hacking/#post-10019189)
 * Well, I’ve restore all hacked files, protected my wp-admin folder via .htaccess,
   changed my admin password and disabled wp-cron.php (every night at 2:00 my website
   is hacked!)
 *  [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * (@anevins)
 * WCLDN 2018 Contributor | Volunteer support
 * [8 years, 3 months ago](https://wordpress.org/support/topic/wp-admin-php-probably-hacking/#post-10019230)
 * Something must be wrong in the chain of security measures and my bet is on the“
   restore all hacked files” bit. That sounds like it didn’t take you long to do.
   If it’s easy to resolve then you’re probably still hacked.
 * This is a thorough document that will take a long time to read. Get a fresh cup
   of coffee and double-check you’ve gone through everything: [https://codex.wordpress.org/FAQ_My_site_was_hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked)
 * If you’re unable to clean your site(s) successfully, there are reputable organizations
   that can clean your sites for you. Sucuri and Wordfence are a couple.d

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘wp-admin.php probably hacking’ is closed to new replies.

## Tags

 * [wp-admin](https://wordpress.org/support/topic-tag/wp-admin/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 4 replies
 * 3 participants
 * Last reply from: [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * Last activity: [8 years, 3 months ago](https://wordpress.org/support/topic/wp-admin-php-probably-hacking/#post-10019230)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics