Simple cleanup solution for the latest WordPress hack

Updated 20160914

This post is very specific to one type of infection, there are many different types of infections and symptoms, do not be discouraged if the scenario does not fit your situation.

A more detailed guide on how to address a hack in WordPress was released in 2016.

If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.

For Network Solutions users:

If your site is at Network Solutions, and you have that “” malware, the solution is simple.

Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.

You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:

$ find ./ -name "*.php" -type f |  xargs sed -i 's#<?php /**/ eval(base64_decode("aWY.*?>##g' 2>&1
$ find ./ -name "*.php" -type f |  xargs sed -i '/./,$!d' 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop: and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as:

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

That’s it and you should be clean again.

UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example: , , etc.
That should fix it!

As always, if you are having difficulties getting your site cleanup, send us an email at or visit our site: We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

  1. This cleaned up all the code on the top of each .php page. But it didn't remove the actual script just above the body tag.

    How do I get rid of that?

  2. Adam:

    The script is generated by that big PHP code on the top of your pages. If the malscript is still there, maybe you have your pages cached (clean your wpcaches) or our script didn't completed properly (some PHP pages may timeout while running –depending on your host config).

  3. OK, I'll wait a bit and see if that clears itself up. I was able to run the script on the rest of my sites and it works great. Thanks so much!

  4. I went and manually deleted the lines in the cgi-bin/php.ini mentioned in the first post today on my NS shared host account. Deleted all cached pages and now my NS sites are scanning clean. Should I still run this fix as well?

  5. Just to follow-up. I ran this script several times today. It worked flawlessly on most sites, but on one blog I eventually had to manually remove the malware script from the index.php file in the root folder.

    Kudos on this fix!

  6. Thank you very much! you are much helpfull then godaddy can do on it.

    my site is also hacked by a php code in the head of the file.

  7. Hi all,

    My site was also hacked. But it was a Joomla (1.5.15) site (no word press).

    The fix of course helped. The server was "godaddy shared hosting".

    I believe all my chmod settings were correct (644 or 755).

    No idea how they got in. But it looks like they did not change anything else.

  8. Ramses: yes, it will scan all subdirs. If your site is too big, the PHP may timeout in the middle, so you may need to run it again.

    Ioan: Brazilian 🙂 All latin languages, so easy to mix it up .

  9. Heads Up from NS.

    May 8, 2010

    We received alerts of a new type of file inclusion on our customers’ websites, whereby a “.nts” file is added to folders of customers’ hosting accounts. Visitors to affected websites will receive a “website cannot be found” message and may be infected with malware. This “.nts” file addition is occurring mostly within the structure of customers’ WordPress installations, however the issue is not with WordPress. We ask that you please remove all files with the extension “.nts” in order to resolve this issue.

  10. Still can not access my account through SFTP since yesterday.

    Can't say I blame NS at this point for sealing access off.

    It is however getting a little frustrating.

  11. Omg WordPress is sending a 503.


    Something has gone wrong with our servers. It’s probably Matt’s fault.

    We’ve just been notified of the problem.

    Hopefully this should be fixed ASAP, so kindly reload in a minute and things should be back to normal."

    Maybe it's four million people wondering what to do now that a hacker's attacked their site and damaged it?

  12. Should you run this although you have already cleaned your site?

    I guess it can't hurt but I am wondering if it would take the site down temporarily or something?

  13. The first 'find' command line appears incomplete..(I don't see a closing quote/brace)…am I missing something?

  14. I too would like to say thanks for the script. I went slow so it took me more than 10 minutes, to be sure I did everything right – but it worked.
    For info purposes, also on Godaddy – I had latest version and secure pw's. I also did not have all of the lines in the source code, but did have the indesign one – everything is good now.

  15. Watch Out . . I was attacked instantly when I checked out this story.

    Mass Shared Host Website Hack
    ‎Ghacks Technology News – 1 hour ago
    These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network …

    An intrusion attempt by was blocked

    Risk Name HTTP Fake Scan Webpage 5
    Attacking Computer (, 80)
    Attacker URL

    1. Kim, please tell me how you fixed the index.php error. I'm getting it everywhere including admin areas so cannot log into the the admin area currently, but do have ftp access to the files.

  16. Thanks so much for this!

    I've no idea how my site got hit but looks like this did the trick to clean it up. Wp antivirus plugin did not detect this for me. I'm also on godaddy shared hosting.

  17. It is a new development in 2009 that the #1 cause of website hacking is the webmaster's personal computer being infected by malware that steals FTP login information and sends it to remote computers which then inject the victim website's pages with JavaScript or hidden iframes pointing to malicious websites such as,, and a growing list of others.

    Make sure everyone who has password access to the website does at least one, and preferably two, antivirus and antispyware scans on their local computers, using two different scanners they don't normally use, to find threats that got past the AV scanner they were using. Some free scanners are at: Trend Micro Housecall, Kaspersky, Malwarebytes, Symantec (Norton), BitDefender, Windows Live OneCare, Computer Associates, McAfee, F-Secure.

  18. i cant't find cgi-bin/php.ini nor any files with .nts in my files

    where to find it?

  19. I've ran the script you've provided it's removed the infection from my forum but it's still within my wordpress setup. Also I've edited the footer.php of my theme myself, this is all new to me and i'm not sure how to remove it fully.

  20. i cant't find cgi-bin/php.ini nor any files with .nts in my files . . where to find it?

    That's a commonly asked question that is not being addressed. Considering many customers on shared hosting are not techies, but creators of content.

    "Run this script" doesn't help much if people do not know where and how to run it.

  21. Thank you guys so much. I have a GoDaddy shared server site that was attacked as well. GoDaddy has been absolutely worthless. The via web script you provided worked GREAT and everything seems to be running smooth once again. I can't believe after the amount of time I spent with GD you were able to provide such a quick solution.

    My site was running phpBB3 by the way.

  22. I am a computer consultant helping my local paper deal with the attack and, more importantly, giving advice to computer users who may have been infected.

    As the attack occurred for us Sunday, for Windows users, I will suggest restoring the computer to Saturday.

    Does anyone know if Mac computers were affected? If so what advise should I give them?



  23. Thank you so much! GoDaddy was worthless and made me wonder why I pay for them! I was up and running in less than 10mins. I have a GoDaddy shared hosting with WordPress MU.

  24. After I started getting page not found errors on my siet, Paul at NSI pointed me to a file named .htaccess. It wasn't there before. I found another – nts.php, both deposited 5/10/2010. After renaming .htaccess access worked fine; also renamed the nts.php. Not running WordPress.

    Bad when the top-tiers like NSI are getting hacked, but with one exception I've had great support from their phone reps.

  25. if you look at the source: view-source: (in Firefox) you will see that it looks for a PhpMyAdmin Cookie. That PhpMyAdmin software is likely vulnerable, based upon the Cookie name used in various PhpMyAdmin themes. So they probably found a zero-day in PhpMyAdmin on the looks of it.



  26. Mine was hit on a Drupal backbone… will this fix work for other things besides WordPress?

  27. This was incredibly helpful. Without your brilliant code I'd be up a river without a paddle. Many thanks.

  28. It even fixed the malware on my joomla page! Thanks! Hope this dreaded code doesn't come back in a few hours! I first downloaded Avast anti-virus and it found a file on my computer that malwarebytes didn't find. Then I used this php script and it found and erased the junk from my wordpress and joomla pages.

  29. I would like to say thank you very much. I have about eight wp blogs on Go-daddy that each make a small fortune everyday. I have suffered attack after attack, uploaded new files everything.

    I just used your script and had a one hundred per cent result of removing the malaware from my code.

    You have saved me loads of time and effort.

    Well done and a huge big pat on the back. I wish I could buy you a few beers.


  30. The result showed malware removed, but my wp dashboard is still messed up. It ends at post. I can't access the plugins, appearance and other functions. Is this an attack?

  31. This worked perfectly.

    Funny thing is, yesterday I set up a Brand New WordPress site through Godaddy [they installed it] and it was hacked as soon as I logged in for the FIRST time. I had to have been the first visitor.

    Their support told me to install the newest version of WordPress…which uhhh…they had just done! That was their only suggestion. Four other WP sites of mine on the server were also hacked. Plan on fixing them asap.

    Thanks Sucuri, you saved me!

  32. It appears that this fix (Web version) is adding whitespace to the PHP files. I'm having problems with all WordPress and Joomla sites after running it.

    Anyone have any ideas?

  33. I am having the same problem with the person above. I am getting errors on most of my site with a message similar as follows "Warning: Cannot modify header information – headers already sent by (output star……"

    It seems there is a white space on the top. I looked at the script and it seems it was supposed to remove the white spaces, but it doesnt look like it has. Also, I have over 25,000 files on our host, so i'm not sure if it ever finished running or timed out.

  34. Gregg, i think i figured out what is happening. the script is timing out before it can finish. I just figured out how to get it fixed by running the file in each of my folders separately. I had over 25,000 files from within my root directory, but running the script in each sub folder made sure the script didn't time out.

    Thanks for this fix! It is a life saver! Now we just need to figure out how this all happened.

    Any ideas if the infection can or will come back again?

  35. Maybe run this first to check if you actually have it before running a command that edits files?
    # grep -lr 'base64_decode("aWY' ./ | grep *.php > base64.txt

  36. I'm going to be honest, I don't know how to "Run as…(using your browser)" I go to that URL and it gives me a 404 error. I open the file with my browser from the folder and it just opens up the location in my folder with the text and does nothing.

    Please be more detailed regarding how to run this. Not all of us are tech whizzes.

  37. Nevermind, I figured it out just now on my own. You have to upload it to the '/' directory on your FTP server so that '' is the root. Then go to '' and it'll work.

    Hope that helps anyone else who had the same questions.

    That said, the virus is apparently still blocking my RSS feed. I'll try running it again, but I hope this isn't a seperate issue.

  38. Having problem with (web version) ran fix in all sub directories after I enter fix in browser and hit enter it takes me to my site and I see (whatever your looking for is not here)..Help please or am I running script wrong? I am using filezilla to upload fix.php to directories

  39. I just want to say a big thank you. In my case, my site was fine but i got redirected to a malware site when i tried to log into my wordpress blog. luckily my antivirus system blocked the attempt. I therefore had to run this from my wp-admin folder and the scrambled looking wordpress dashboard is now looking normal! thanks a ton!

  40. Warning: Unexpected character in input: '' (ASCII=92) state=1 in /home/content/d/a/i/dailyotaku/html/wordpress-fix.php on line 4

    Parse error: syntax error, unexpected T_STRING in /home/content/d/a/i/dailyotaku/html/wordpress-fix.php on line 4

    am getting this all time what do I do to fix it

  41. Thanks much for the info and script. Has anyone figured out what the vulnerability is here, though? Getting my site back up is one thing, figuring out how to stop this same attack from happening is a different ballgame.

  42. Godaddy host, infected my Magento installation as well as my straight php files. Very frustrating.

    Thanks for this fix. It doesn't seem to be working for me though. It looks like this line of code:
    $rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's###g' 2>&1`;[/code]

    gets broken at the '*?>#' part. At least it looks that way in my php editor…
    plus it hasn't fixed my files…

  43. If the script is timing out on you, or the status messages "Malware Removed" or "Empty Lines Removed" does not appear chances are your script is not getting a chance to run to completion. I added:

    "ini_set('max_execution_time', 300); //300 seconds = 5 minutes"

    to the top of my script and it worked like a charm. Thanks for the fix, it saved my ass. down w/ godaddy

  44. Reported the problem to godaddy and they still continue to deny it's a security issue with them, not wordpress or PHP. unbelievable. After 2 hacks in less than a week.

  45. I just fixed my site with this amazing script – thank you so much. I have a WordPress Mu blog hosted by GoDaddy (I know – they stink)…Anyway, I wanted to know if anyone has experience with either of these plugins:


    I don't want to load more stuff on my blog unless I know the 'security' plugins are secure themselves. Any thoughts? Thanks!

  46. It is very important articles! A friend of mine suffered from this virus.
    With your permission, translated into Russian and published in his blog.
    Luck to you!

  47. Thank You very much! I was searching for solution to this problem from hours, and your script wordpress-fix.php fixed the problem within 1 minute.
    Thanx a lot again!

  48. Thanks alot !!! this works very well i can clean my forum ( i don't use wp and i reinfect too ) I moveout from godaddy

  49. Works for phpbb too, fixed my phpbb3 site. Thank you, such a simple bit of php code and regex, surprised godaddy was too slow to give it to their customers on day one.

  50. Thank you so much for this script. I added it to my root directory. I can't believe how quickly everything was cleaned.

    This is the 2nd time I was infected in a month and the 3rd time in 5 months (if I remember correctly). Time to change hosts.

  51. Just like last time… worked like a charm.

    Thanks fellas. This is getting a little ridiculous… but I'm glad someone is offering a very quick, convenient, FREE solution.

    Perhaps if I can convince my webmaster to spend the money… we'll invest in your monitoring… that way we lose LESS visitors anyways… by catching this BS a bit sooner!

  52. thank you very much! simple and effective! My sites were hacked twice. What can i do in order to avoid a third hacking? Thank yo again

  53. Thank you so much. This completely saved my sanity, especially after GoDaddy denied it was on their end, and blamed me when I let them know about it (virus, crummy passwords, etc). My PC is clean, completely spotless I just have no real clue as to how they got in (secure password, while I do use FTP / shared hosting).

    I've cleaned up about three times at this point, and hopefully this will help more (if it happens again too).

  54. Thank you soooo much for the clean-up script. I had already spent hours doing what GoDaddy recommended (back-up files, restore to an earlier date and re-install WordPress and delete old WP files) and was re-infected. Your clean-up script worked perfectly. So far so good – no re-infection.

  55. Just to confirm that this also works on Joomla sites. Although, there were some errors after cleaning with extra space before opening PHP tag, which was easily solved by deleting that space…

  56. I have x-cart on my domain and it has been affected again after I cleaned up. It is on Godaddy. X-cart version is not latest.
    What do I do now?

  57. This virus attacked a MODx site on BlueHost. I deleted the code from the top of the index.php and all seems to be good now.

  58. I refuse to believe this. This is too good to be true?!

    …it removed all of those strings extremely quickly & easily… but will my site stay safe from malware? Or will I have to constantly use this script daily? Great work though! I signed up for a full year of Sucuri security too!

  59. Hi. downloaded and ran wordpress-fix.php

    It didnt work . tried it in blog directories too.
    Still didnt work.

    Base64 code still at top of php pages.

  60. I downloaded and ran wordpress-fix.php. But I got the status messages "Malware Removed" or "Empty Lines Removed". The website problem still remain the same. Can I know anything i did wrongly in the process of running wordpress-fix.php. How to solve it?

  61. AMAZING! Worked perfectly. You saved me so much time. All things good come to you!

  62. I'm having an issue with Movable Type blog. I've run the commands you thankfully posted and cleaned up several WP blogs and it appears to have cleaned the php files for my MT blog. But strange things are happening.

    I will load a page on my blog and after a few minutes it attepts to redirect (I'm using Mac and Safari) and i get this error:

    Safari can’t open the page “;=2060&ref;=” because Safari can’t find the server “”

    In looking at the source of this page, I find at the bottom:

    scripttt src=";>

    (I've edited this to validate this comment

    My guess is that Safari tried to redirect it to the phony GoogleSearch page but on other browsers maybe the script tries to install malware.

    I'm not sure how many pages this script is on, but running your commands cleans the garbled code but this is actually plain and simple and nothing trying to hide it? Thoughts?

  63. This is a follow up to my post just a few minutes ago.

    I tried running these commands via ssh again and I get an error on the first one and the second one just seems to hang:

    [xx]$ find ./ -name "*.php" -type f |
    > xargs sed -i 's###g' 2>&1
    [xx]$ find ./ -name "*.php" -type f |
    -bash: : command not found
    [xx]$ xargs sed -i '/./,$!d' 2>&1

  64. I keep getting the following error messages when running the script, can someone please help me?

    Warning: Unexpected character in input: '' (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING

  65. Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.

  66. If you are on Media Temple, i had 5 blogs, found wordpress templates infected. I suspect my laptop was the fist victim via malware, although not sure. Cleaned that up. Then used script from here. Cleaned it each time, but every day i would see somehow the hackers had reuploaded new exploit-laden akismet plugins onto the server. My latest discovery was that in the folder etc if you login in using ftp, they infected my php.ini file. You need to remove the last line on that file and then delete the sample.php.ini file which hosted malware. Now all clean again, but waiting for a few days to see if they come back (wish me luck!)

  67. Thank you so much for the Quick Fix! So far everything looks good but will keep an eye on it.

  68. My WP was hacked on bluehost (3 sites). I ran the script but still see suspecious Java script in my footer when view the page source in the browser. You can see at I have viewed the theme editor in the admin looking for this code in the footer. It is nowhere to be found. But when I view the page source code in my browser I can see this java script. How do I remove it?

  69. i ran this on 5 WP sites, only to then find them all white-screened. i was able to find the malicious code on a couple of them, but it's not showing up on one in particular. if anyone has any suggestions, they would be much appreciated.

  70. Seems like everyone has got it to work but i am having so much problem. I keep getting a 404 or
    Warning: Unexpected character in input: ” (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING

    Appreciate any help

  71. good, but if you have installed nextgenGallery remove the plug-in code that is used instead.
    make sure that your plug-ins do not use encode_64 before making this operation

    1. right click and save as, or just open it in the browser and copy the contents into a fresh php file

  72. I used it on my main domain and then some sub directories and got two different results. I'm assuming one means it ran and was ok, then the other means it found something and cleaned it up. Is that right? I'm pasting them below.

    1. Site remediated by Sucuri
    This script will clean the malware from this attack:

    If you need help, contact or visit us at

    Site remediated by Sucuri
    This script will clean the malware from this attack:

    If you need help, contact or visit us at

    2. Site remediated by Sucuri
    This script will clean the malware from this attack:

    If you need help, contact or visit us at

    Malware removed.
    Empty lines removed.

    My recent post Photos- Castle McCulloch

  73. This worked for me but I had to run it several times and place it in my wp-admin directory on some of my blogs. Of 11 WP blogs, only the one at the root had to be run repeatedly. Also, I found a file, wtm.php that had nothing but the malicious code. I blew that one away manually.

    Since this is the third time I’ve been infected, my question now is how do I protect my blogs? Is there any way to make wordpress secure? My wp is update, I’ve placed recommended in my htaccess file and placed that file in each of my wp-admin directories. Is there anything else I can do? I really don’t have time to do this every few days and I don’t have the money to hire someone else to do it for me.

    Any ideas on how to secure WP?

  74. When I run the command from ssh I get:

    -bash: 1$: ambiguous redirect
    -bash: : command not found

  75. thanks a lot it is really working,, its cleaned .. i should have found this before i manually delete and replaced my files..

  76. If you don't have SSH access, and need a fast, easy and secure way to detect and cure this malware attack, check this post:

    PS: the people at were the first website to pick up on the latest hack. Well done!

    Once more, the PHP-based community would be grateful if anyone could come up with a way to protect PHP files being patched by hackers.
    My recent post GoDaddy sites hacked again

  77. my website got hacked, spent a whole day re installing and fixed it. Then I found out about this script and decided to run it incase there was any left over trace of the virus and the script broke the website again 🙁

    I had to delete all my plugins and re install them before it started working again. USE WITH CAUTION!

  78. I am trying to run the script downloaded from this site, but keep getting a 404 Not found page when I type in the address from where the file is located on my ftp.
    Can anyone please help? Much appreciated.

  79. Hi, I wonder if the virus attacks have also occurred in wordpress blogs and if there is a way to avoid them. Thanks

  80. Thank you so much, client’s site hacked 3 times by this nasty little devil, hopefully your solution is the end of it. R.E.S.P.E.C.T. to Sucuri.

  81. Is this the same solution for Joomla sites? Mine is a Joomla based site with the same problem.

  82. guys ,how to i set up the fixfiles.php to remove another code , it seems that the person that inserted the malware has changed the code to this: eval(unescape(‘%64%6F%63%’));

  83. Just wanted to say thanks for this excellent script. I was gearing up to spend my weekend reinstalling WordPress when I came across this post.

    Now I can go for a beer (or three) instead!

  84. for those that that cant exec in their php:

    $contents = fread($f,$fs);
    if(strpos($contents,’eval(base64_decode(“aWY’) !== false){
    echo “$path/$filen”;
    $contents = preg_replace(‘%%’,””,$contents);
    $f = fopen($fn,”w”);
    echo “$fn is emptyn”;



    closedir( $dh );
    // Close the directory handle


  85. How can I use to remove the following string:

    Include the “” at the begin and end of the string below.

    img heigth=”1″ width=”1″ border=”0″ src=”″

    Thank you

  86. Great idea!
    Isn’t your script safe any more? Why does the download-link work any more?

  87. This is a great solution. Thanks!
    I also ended up with a blank line at the top of my files. This command removes blank lines at the top of your php files.:

    find ./ -name "*.php" -type f |  xargs sed -i '/./,$!d' 2>&1

    “Suggestion from SED1LINERS: Delete leading blank lines at top of file:
    sed ‘/./,$!d’ file”

  88. These commands are also removing anything on the same line as the “eval(base64” line.

    For example, on a WordPress template page, it is also removing “get_header()”.

    This is easy enough to fix. However, on other PHP pages, I have no idea what the first line may have been!

    For example, one PHP page’s first line was “if ( comments_open() )” which got removed by this script. I was only able to replace that line after digging through some old backup files. Otherwise I would’ve not known what the line was, and the page would’ve forever been broken.

    Has this happened to anyone else? Did I do something wrong?

  89. Hello, please can you re-upload this file? it is not there and I am desperate.

Comments are closed.

You May Also Like