How to remove spam link or iframe code from wordpress blog or site

As a popular open source CMS, wordpress is using for building web site, blog and even for building strong web applications too.  Even if there is no programming skill, wordpress can be easy to manage compared to other CMS available in the market. As the availability of thousands of free plugins, made this cms to popular in the market.

Unfortunately recent years, there is lot of spam and hacking case is reported with wordpress blogs and sites, like other opensource cms.  It will be a nightmare for programmers and site owners to clean the affected code.

Prevention is better than cure.

• Keep your site updated to latest version
• Use strong credentials for admin credentials
• Use strong admin credentials ( Should change the default user name “admin”)
• Maintain proper file permission for files and folders
• Select better hosting company
• Use trusted plugins and remove unwanted plugins coming with your theme.
• Use experienced PHP programmers for wordpress  customization or plugin development.
• Take backup of code and database regularly.

Tracking the issues in  files and code

• Search eval(base64_decode( in your entire code using some editors and check those files one by one to trace suspected codes
• Search pack( code and find any suspicious binary string
• Take view source of your web pages and find any encrypted code / inframe / or any obfuscated javaScript code.
• Search in media folders and find the strange .php files appearing on it
• Find in .htacess files for any malicious redirection

How to remove the malicious code injected in wordpress footer?  OR removing malicious code from wp_footer()

If you search in the files for the obfuscated JavaScript code, which is appearing in the view source of your site, there willnot be any luck.  You have to search pack(  in entire code and you can find some suspicious binary string like this image

You have to remove those section completely from your code.  You can find an add_action(  hooks, which will be adding into your wp_footer() function and that too have to remove.  If you decrypt the code you can see some redirection like this

Hope this will help someone to solve the issue in there.  If you have any question please contact us, we will help you.