188.8.131.52.8. Infecting WordPress theme functions.php file
Removing malicious code from a file only
functions.php, as practice shows, does not solve the issue. Therefore, this instruction can be helpful in troubleshooting the problem.
- Make sure the file
wp-includes/class.wp.phpno in principle. If there is, delete it. Pay special attention to the file name — in this directory there are many files with a similar name, but instead of a period — a hyphen, etc. This is exclusively about
- Similar to the previous point, delete the file
wp-includes/wp-vcd.phpif it exists.
A note on the first two points: checking official WordPress repository, you can make sure that both files are not included in the standard package and they are third-party.
- Check the content
wp-includes/post.php... Namely, if the first line contains something like:
To be convincing, an example of what the file looks like
post.phpin standard WordPress form - https://github.com/WordPress/WordPress/blob/master/wp-includes/post.php (note line 1).
- Points 1-3 should help eliminate the reason why malicious code may appear in files
functions.phpafter deletion. It remains to check
functions.phpeach installed theme. The surest way is to try reinstalling the theme, if possible. Otherwise, we will give an example of an infected file: https://gist.github.com/alexandrpaliy/b3bb8a19433478fe32414895ad641709 — the appearance of line 3 from this example is a typical indication that
functions.phpinfected. In this case, you need to delete the entire block.
<?php … ?>where line 3 occurs:
To put it a little more simply, you need to delete everything from the beginning of the file to the first combination of characters.
?>... In this example, this is line 100. As a result, the cleaned file will look like this: https://gist.github.com/alexandrpaliy/95663f8dc1186cf6e4a6b725c397781b
- There is information that, in some cases, the virus, in addition to modifying files, also tries to create a new user of the site's admin panel, giving him administrator rights. Therefore, it makes sense to check the table in the database.
wp_users), and if there are users unfamiliar to you, it is recommended to delete them by deleting the corresponding rows of the table.