2.13.1.1.8. Infecting WordPress theme functions.php file

Removing malicious code from a file only functions.php, as practice shows, does not solve the issue. Therefore, this instruction can be helpful in troubleshooting the problem.

1. Make sure the file wp-includes/class.wp.php no in principle. If there is, delete it. Pay special attention to the file name — in this directory there are many files with a similar name, but instead of a period — a hyphen, etc. This is exclusively about wp-includes/class.wp.php.
2. Similar to the previous point, delete the file wp-includes/wp-vcd.phpif it exists.
   A note on the first two points: checking official WordPress repository, you can make sure that both files are not included in the standard package and they are third-party.
3. Check the content wp-includes/post.php... Namely, if the first line contains something like:
   To be convincing, an example of what the file looks like post.php in standard WordPress form - https://github.com/WordPress/WordPress/blob/master/wp-includes/post.php (note line 1).
4. Points 1-3 should help eliminate the reason why malicious code may appear in files functions.php after deletion. It remains to check functions.php each installed theme. The surest way is to try reinstalling the theme, if possible. Otherwise, we will give an example of an infected file: https://gist.github.com/alexandrpaliy/b3bb8a19433478fe32414895ad641709 — the appearance of line 3 from this example is a typical indication that functions.php infected. In this case, you need to delete the entire block. <?php … ?>where line 3 occurs:
   To put it a little more simply, you need to delete everything from the beginning of the file to the first combination of characters. ?>... In this example, this is line 100. As a result, the cleaned file will look like this: https://gist.github.com/alexandrpaliy/95663f8dc1186cf6e4a6b725c397781b
5. There is information that, in some cases, the virus, in addition to modifying files, also tries to create a new user of the site's admin panel, giving him administrator rights. Therefore, it makes sense to check the table in the database. users (often - wp_users), and if there are users unfamiliar to you, it is recommended to delete them by deleting the corresponding rows of the table.