Wordfence Fixed A Hack In My Header
One day I found a mysterious link on the header of this site right under the site name. It was a link to an external website that I had not put on their. This link was cleverly disguised. It was semi camouflaged, with the color of the header, so it wasn’t easily seen. What was really clever was that it would disappear if I logged in to the admin panel once. So after I logged into the admin panel, it would never show up to me again, even if I was logged out of the admin panel! I only noticed it when I checked out the site with a new browser. It may have been on the site for a long time, and I didn’t even know it! Let’s call the link sitehacked.com and the description of the link “site hacked”.
Once I noticed the “site hacked” link, I looked through my header.php and index.php files, but I didn’t find anything referring to the “site hacked” link. I didn’t want to do too much poking around on the live site, so I made a local backup of the site to poke around with. The local version also had the header hacked. I tried to edit a few things in the local version of the header.php and index.php files but the link still showed up. I grep’ed (searched) all the files in the site directory for “sitehacked.com” and the description “site hack” but still didn’t find anything. By this time I was getting really irritated I couldn’t find where this hack was.
I searched for “wordpress header got hacked” online and I found this was a common issue. I found somebody say on a forum on wordpress.org to try the Wordfence plugin. I installed the Wordfence plugin and ran a scan. Wordfence found a suspicious addition to my functions.php file. I deleted the addition in my functions.php file and the sitehacked.com link went away. The hacked addition in the functions.php file didn’t have anything referring to the sitehacked.com or the “site hacked” description. I don’t know how I would have found it without Wordfence. Thank You Wordfence!
