Big Mistake – deleted file in functiond.php

[Gavin Brown]

So I got an alert (after scanning with Wordfence plugin) that there was a malicious file in functions.php. The file name is: “$wp_user_functions_init = create_function”.

So instead of just deleting it, I copied my existing functions.php file. Then I deleted the malicious file, so that if it created a problem, I could just revert back to the previous functions.php.

So it did, big time. I’m now getting this error when trying to access my site:

Fatal error: Call to undefined function vantage_get_query_variables() in /hermes/bosoraweb172/b2128/ipw.flinthill/public_html/wp-content/themes/vantage/loops/loop-carousel.php on line 8

So I pasted the old (pre-deleted file) functions.php into the editor and it tells me that this file cannot be edited. Doh!!!

Should I find the original functions.php from the theme download and replace it via FTP? Any thoughts?

Gavin Brown

[Bill Robbins]

It looks like the function you deleted is there to create a new user. How that made it onto the site is an interesting question.

I would restore the original theme via ftp. I would also check the users and make sure there are none that shouldn’t be there.

Crazy

[Gavin Brown]

Hey Bill, thanks. Won’t restoring the theme via FTP affect plugins, styling, etc.? Is there a way to restore functions.php without messing with that other stuff?

[Bill Robbins]

You would lose all customizations that were made in the theme files themselves but that should be it. Plugins will be fine. Typically any settings saved in the database will be fine too. I can’t say that with 100% certainty as I don’t know how this theme is constructed.

Since malicious code is there, I would replace the whole thing. If you just replace the functions.php file, the hack may regenerate itself. It may still even if you replace the theme, so check it after that point. These hacks can be sneaky. Hopefully this one isn’t very intelligent.

[Author]

Posts