PHP code in functions.php of all wordpress websites on my shared hosting

Question

I have a shared hosting and some wordpress websites on that. Recently sometimes when I visit my websites, popup opens. So I opened template directory of one wordpress website in

Answer 1

Temporary fix to this issue is to remove the hack code and make your functions.php read-only(chmod 444 functions.php) You can do this also from your cPanel as well. After that site will be ok. Note it just doesn't affect the current theme only, it will affect all of your themes in the theme directory. So do the same for all functions.php in all themes. Download the site to your local and do a find in file search for the keyword wp_vcd. It will be helpful if you had WordFence security plugin in your system free version as it comes in its logs as well. List of files infected.

//FILES TO REMOVE
wp-includes/wp-vcd.php

wp-includes/wp-tmp.php

wp-includes/wp-feed.php
wp-content/themes/yourtheme/wp-tmp.php


// FILES TO CORRECT
    wp-content/themes/yourtheme/functions.php

    wp-content/themes/yourtheme-child/functions.php

    wp-content/themes/twentynineteen/functions.php

    wp-content/themes/twentysixteen/functions.php

    wp-content/themes/twentyseventeen/functions.php

    wp-includes/post.php

There will be more files WordFence log will help you to find this on that keyword search.

If you can access your backend then install WordFense security plugin as soon as possible and look for its scan report. It will show the modified or newly created files. After removing/fixing the files do a scan from WordFence once again to confirm.

Please verify the file/folder permissions on your server.