Removing hacked WordPress files


The other day someone kindly told me that this blog had been “hacked”. Actually what had happened was that someone had managed to inject PHP code in to the wordpress theme files, the wordpress blog files and all the plugin files. What was particularly interesting was that it only showed up if you haven’t visited the site before, making it harder to spot. In the header of each PHP file there was a php eval base 64 encoded string which contained this redirect code.