3 comments

[ 2.5 ms ] story [ 15.1 ms ] thread
i still have no idea how they got that code in the header.php. Anyone have any ideas?
The usual way that these get in is when people upgrade WordPress by simply doing a tar -zxvf wordpress.tar.gz. This replaces files, but often there are many legacy files from older installs that never got deleted.

In my case, the attack was from "/blog/wp-content/themes/default/functions.php", which isn't even a theme in recent WordPress builds; it's simply been left over from the many upgrades over the years.

The other most common route for such injection is not always WordPress itself, but instead through insecure, third-party themes, since theme designers are not always programmers.

One of our clients had their FTP credentials compromised causing a similar effect. It may be a decent idea to check the logs and identify if this was the method of entry.