This weekend I encountered a particularly vexing problem that had me wondering if my site had been hacked.
Needless to say I was alarmed and almost panicked.
The script in question was the following:
The rest of the site seemed fine. The only evidence of a problem was an inability to access the admin.
I did some searching and discovered that the code in question came from the Avast Web Rep browser add-on, and that it was there to protect browsers from malicious code. After trolling message boards trying to find a fix, I came to the realization that the Avast add-on was not the issue. Something else was causing the Avast code to be the only thing that appeared, and it was a problem in either WordPress or one of my Plugins.
What followed was a desperate series of maneuvers designed to expose the issue, whatever it was.
- First, I checked “wp-config.php” and “wp-settings.php” to see if they contained anything suspicious, but both files seemed fine.
- Then I traced the WordPress loading process, checking each of the included files for changes or anything that looked malicious. Again, nothing obvious.
- Then I downloaded a backup from two days earlier and re-uploaded the entire “/wp-admin/” folder. No dice.
- I did the same with the “/wp-content/plugins” and “/wp-content/themes/” folders. Again no luck.
- Finally, I re-named the “/wp-content/plugins” folder to “/wp-content/unplugins” and went to “/wp-admin/” in a browser again. This time I got in, and was treated to a series of messages indicating that each of my plugins had been deactivated due to missing files.
After that, all I had to do was
- change the name of the plugins folder back to “/wp-content/plugins”,
- then activate the plugins one-by-one until the admin broke again,
- then delete the offending plugin, which luckily was nothing important.
Ta-da! Back in action.