• Uncategorized

    WordPress PHP injection?

    I just found a creepy case of injection in my index.php file. I noticed this morning that my homepage was throwing a “headers already sent” message pointing to index.php, line 10 when it wasn’t cached by Supercache. A reload of the page cleaned it up. But my RSS feed (which currently goes through Feedburner) was also trashed, and /feed wasn’t redirecting. All with the same error. Disabling Supercache fixed the homepage warning, but not the feed. Being PHP awesome, I checked index.php for trailing whitespace, and found this snippet of code above the standard WordPress code: That’s a problem. That forum file is, as you might expect, a crap ton…