Removing hacked WordPress filesBlogging Hacked · Wordpress
The other day someone kindly told me that this blog had been “hacked”. Actually what had happened was that someone had managed to inject PHP code in to the wordpress theme files, the wordpress blog files and all the plugin files.
What was particularly interesting was that it only showed up if you haven’t visited the site before, making it harder to spot. In the header of each PHP file there was a php eval base 64 encoded string which contained this redirect code.
If you have a simliar problem you either need to grep each file containing base64 encoded PHP or, replace the main wordpress blog, re-upload the theme and reinstall all the plugins. If you want an easy fix, sorry, next time consider using Fabric/Puppet/Chef and having a backup version of the site that you can deploy at the drop of a hat.