Recently I was vising one of my many WordPress sites when I received a warning from my virus scanner that it had blocked an attack.
After seeing this I installed the plugin ‘Antivirus’ (a free WordPress plugin I strongly recommend) which showed strange code in 3 of the theme files, the index.php, footer.php, and header.php files all had the code below tagged onto the end of them.
So I immediately removed the code from those files, then noticed that all of the other wordpress blogs on the same server had that code as well so I removed it on them too.
The weird part is that all of these WordPress installations were up to date and no one had my login, ftp, or any other information so I’m not sure what weakness was exploited, but something was and it spread quickly!
Just incase your system was infected by someone brute force hacking the password (using a program which automatically tests thousands of password combinations) it’s best to change your password and then change your security keys in the wp-config.php file since even when you change your password, if someone had logged in previously they can still access your site if they selected “remember me” and haven’t erased their cookies.
The next day that same code was back on a few of the sites again but not all of them. I looked at the files on the sites where the code regenerated itself and noticed that they had an unusual wp-plugins.php file in the wp-content/plugins file. After removing that I went back and removed the malicious code from the index, footer, and header pages and all was well.
So my lesson would be, if you think you’ve found and isolated the problem, be sure to try a plugin like Antivirus to search your site for an other potential issues. It will show more problems than you actually have but better safe then sorry. Then look for files which sound like WordPress system files but aren’t.
Good luck with your sites if you faced the same problem. Hope this helps!
If you’re looking for more information on how to secure your wordpress site there’s a wordpress.org page about it here.