More information about the Underscore mailing list

[_] making wordpress secure

keith reay keef at
Fri Aug 30 12:06:22 BST 2013

hello hive

a client has a wordpress site which keeps getting hacked somehow, whereby '<?php eval(gzinflate(base64_decode('tVdtU9tI...' code is inserted into files in wp-includes, certain wp-content plugins, the theme, some of the index.php files and even the wp-config.php file [always the same files], plus a separate file is inserted, recently in the public_html directory [with '<?php /*:Q%hC*/eval/*u}}4 at FP*/(/*QOFMfN6*/base64_decode/*M`?,4_]*/(/*y5eb}...' stylee code]

the wp version is kept up to date, as are the plugins, but the hack returns from time to time. the theme is based on 'twenty eleven'

i've searched online and tried a few things in the htaccess files and changed permissions on some directories, but to no avail so far

do any [_]ers have a method to lock down wp files/directories to stop intrusions like this? or is it safe to assume that the back door has been created and not yet removed?

i can provide a list of affected files, eval code and htaccess code, if it helps? any suggestions would be very welcome [apart from the obvious but expected 'don't use wordpress']