WordPress is pretty solid these days but every now and then, an exploit is found and taken advantage of. Recently we cleaned several websites who had all fallen prey to an exploit which modified every php file on the server.
The exploit added a malicious <script> tag to the very beginning of each php file. Since the modifications to these files were all uniform, it was fairly easy to undo the damage. The code added to each file looked something like this…
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25... ...B9ICB9"));?>
It was a big long string of characters that made no sense until decoded. Our solution was to use a php page that could repair the damage. Thanks to theandystratton for providing a good starting point.
You can upload this file to the root folder of your server and then visit it in a web browser. It will first find all infected php files. Then you can click the “Fix Files” button and the malicious code is removed for you. If you intend to use this script, please know that we take no liability for it. That said, our clients have had great success with it.