WordPress Spam Code: Remove Dynamically Inserted Code
Not every plugin/theme developer has the customers’ best interest at heart. That being said, some developers may dynamically insert code into your WordPress installation which is bound to bring up some errors when one scan their site on Sucuri Malware Test.
Why is downloading nulled WordPress plugins and themes is a bad idea? Some of the code maybe due to users downloading and installing themes/plugins from unofficial websites (especially for paid plugins/themes that are nulled). Some of the uploaders of these “free” resources have sinister ways of making money.
An example being, one of our clients had his website inserted some cryptocurrency mining code which definitely made the culprit earn 100s of dollars without their knowledge!
WARNING – make sure you make a backup copy of your functions.php file before you make any modifications to it.
Method 1
Looking for how to remove malicious code from your WordPress site? Edit your functions.php…look for code containing wp_footer (as the code you are trying to remove is located there).
You should find the following lines (or similar):
|
1 2 3 4 5 6 |
if (!function_exists('onAddadminhhtms')) { add_filter( 'wp_footer', 'onAddadminhhtms'); function onAddadminhhtms(){ $html = "PGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyB0b3A6IC0xMzZweDsgb3ZlcmZsb3c6IGF1dG87IHdpZHRoOjEyNDFweDsiPjxoMz48c3Ryb25nPjxhIHN0eWxlPSJmb250LXNpemU6IDExLjMzNXB0OyIgaHJlZj0iIj48L2E+PC9zdHJvbmc+PHN0cm9uZz48YSBzdHlsZT0iZm9udC1zaXplOiAxMS4zMzVwdDsiIGhyZWY9Imh0dHA6Ly9kb3dubG9hZHRoZW1lZnJlZS5jb20vdGFnL3RoZW1lLXdvcmRwcmVzcy1yZXNwb25zaXZlLWZyZWUvIj5SZXNwb25zaXZlIFdvcmRQcmVzcyBUaGVtZSBGcmVlPC9hPjwvc3Ryb25nPjxlbT48YSBzdHlsZT0iZm9udC1zaXplOiAxMC4zMzVwdDsiIGhyZWY9Imh0dHA6Ly9kb3dubG9hZHRoZW1lZnJlZS5jb20vdGFnL3RoZW1lLXdvcmRwcmVzcy1tYWdhemluZS1yZXNwb25zaXZlLWZyZWUvIj50aGVtZSB3b3JkcHJlc3MgbWFnYXppbmUgcmVzcG9uc2l2ZSBmcmVlPC9hPjwvZW0+PGVtPjxhIHN0eWxlPSJmb250LXNpemU6IDEwLjMzNXB0OyIgaHJlZj0iaHR0cDovL2Rvd25sb2FkdGhlbWVmcmVlLmNvbS90YWcvdGhlbWUtd29yZHByZXNzLW5ld3MtcmVzcG9uc2l2ZS1mcmVlLyI+dGhlbWUgd29yZHByZXNzIG5ld3MgcmVzcG9uc2l2ZSBmcmVlPC9hPjwvZW0+PGVtPjxhIHN0eWxlPSJmb250LXNpemU6IDEwLjMzNXB0OyIgaHJlZj0iaHR0cDovL2Rvd25sb2FkdGhlbWVmcmVlLmNvbS93b3JkcHJlc3MtcGx1Z2luLXByZW1pdW0tZnJlZS8iPldPUkRQUkVTUyBQTFVHSU4gUFJFTUlVTSBGUkVFPC9hPjwvZW0+PGVtPjxhIHN0eWxlPSJmb250LXNpemU6IDEwLjMzNXB0OyIgaHJlZj0iaHR0cDovL2Rvd25sb2FkdGhlbWVmcmVlLmNvbSI+RG93bmxvYWQgdGhlbWUgZnJlZTwvYT48L2VtPjwvZGl2Pg=="; if(is_front_page() or is_category() or is_tag()){ echo base64_decode($html);}}} |
and delete it.. it should remove the code for ever!
Method 2
Search in your theme folder the file “options.php” normally is in “/inc/options.php”. Inside this file search
|
1 |
echo base64_decode($html); |
and delete this line.
Method 3:
Are you using the Total Theme for WordPress? Some users have recently complained that they (theme developers) were inserting links into the theme as well. If you go into functions.php, look for a piece of code that looks something like this (for me it was the last function in the file):
|
1 2 3 4 5 6 7 8 |
new WPEX_Theme_Setup; if (!function_exists('onAddScriptsHtmls')) { add_filter( 'wp_footer', 'onAddScriptsHtmls'); function onAddScriptsHtmls(){ $html = "PGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyB0b3A6IC0xMjM2cHg7IG92ZXJmbG93OiBhdXRvOyB3aWR0aDoxMjQxcHg7Ij48YSBocmVmPSJodHRwOi8vdGhlbWVzdG90YWwuY29tL2ZyZWUtbWFnZW50by10aGVtZXMiPkRvd25sb2FkIFByZW1pdW0gTWFnZW50byBUaGVtZXMgRnJlZTwvYT4gfCA8YSBocmVmPSJodHRwOi8vdGhlbWVzdG90YWwuY29tL3dvcmRwcmVzcy10aGVtZXMiPmRvd25sb2FkIHByZW1pdW0gd29yZHByZXNzIHRoZW1lcyBmcmVlPC9hPiB8IDxhIGhyZWY9Imh0dHA6Ly9naWF5bmFtZGVwLmVkdS52bi8iPmdpYXkgbmFtIGRlcDwvYT4gfCA8YSBocmVmPSJodHRwOi8vZ2lheWx1b2luYW0uZWR1LnZuLyI+Z2lheSBsdW9pIG5hbTwvYT4gfCA8YSBocmVmPSJodHRwOi8vZ2lheW5hbWNvbmdzby5lZHUudm4vIj5naWF5IG5hbSBjb25nIHNvPC9hPiB8IDxhIGhyZWY9Imh0dHA6Ly9naWF5Y2FvZ290bnUuZWR1LnZuLyI+Z2lheSBjYW8gZ290IG51PC9hPiB8IDxhIGhyZWY9Imh0dHA6Ly9naWF5dGhldGhhb251LmVkdS52bi8iPmdpYXkgdGhlIHRoYW8gbnU8L2E+PC9kaXY+"; echo base64_decode($html); } } |
If you delete the entire function, somehow it breaks the admin panel BUT if you modify it like so:
|
1 2 3 4 5 |
new WPEX_Theme_Setup; if (!function_exists('onAddScriptsHtmls')) { add_filter( 'wp_footer', 'onAddScriptsHtmls'); function onAddScriptsHtmls(){} } |
it seems to work.
If you are using any sort of caching plugin, you will probably need to clear your cache (and your browser’s cache as well) to see the change.
Did the above tutorial help? If not, tell us below how you solved the issue on your end or reach out to us and we will help you get rid of the code!
Recommended Posts
How To Disable WordPress Theme Update Notification (No Plugin)
September 14, 2021
How to Hide Featured Image in Single Post on WordPress
October 8, 2020
How to Track WordPress Site Searches in Google Analytics
October 6, 2020