getButterfly Logo getButterfly code wrangling since 2005

WordPress Malware

I’ve recently been hit by several injection attacks to some of my clients’ WordPress based sites. Some theme and plugin files were injected with an eval() function containing hidden IFRAMEs and redirections.

While some antivirus and scanning plugins detected parts of this infection, I’ve had 100% luck with 2 direct file scanners. Placed in my WordPress site root and directly accessed, the scripts listed all files injected with the dreaded eval() function.

Each of these files does the same thing, in different ways. Test them both.

WordPress - FTP rootHow to use

Place the .php files inside your WordPress root (i.e. where index.php is). Run them using or The scripts will display all files containing injected code. Open each of your infected files and remove the eval() code.

Subscribe to getButterfly Blog

Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.

If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.

Leave a reply

Love programming?

Learn about the most amazing things. Get smarter everyday!