Latest Website Security and Cybersecurity Updates

Call now for Live Immediate AssistanceCall+1 (844) 260-2204


October 20, 2022 | By Admin

1 Star2 Stars3 Stars4 Stars5 Stars (17 votes, average: 4.71 out of 5)

Hidden advertising in functions.php and footer.php

Researched by: Goshko Stanislav

If you noticed that your website has been displaying unauthorized text ads anywhere within its pages such as in the header sections or the area where your social icons are located then, unfortunately, your website has been hacked.

These unauthorized ads may show up on any browser or may be specific to just one, such as Google Chrome. Many codes may even spread malware as they are usually hidden in JavaScript and iFrame codes.

Hidden codes such as these can affect anyone who visits your website and may even install unwanted toolbars, trackers, or malware onto their computers.

If Google notices your website is doing this then it will block and remove your website from its search results!

In our research we found themes that cause your website to do something you didn't initially want it to do – advertise and redirect end users back to someone else's website or even worse spread malware.

The below list is just a small sample of the themes we have uncovered that are not at all what they seem to be and are full of hidden codes the developers don't want you to know about.

Infected Wordpress Themes Still On Functions

Throughout this CDN for WordPress themes within the "functions.php" file, we discovered various lines of encrypted code. These codes are being used by hackers to hide the actual code from users.

For example, we uncovered the following encoded PHP code:

Infected Wordpress Themes Still On Uncovered Functions

Simply deleting encrypted codes may not be enough, considering it can have the ability to recover itself and spread elsewhere.

Therefore, to determine what files have been affected we begin by decoding blocks of the PHP code and then we can begin to have a better understanding of what we are dealing with.

Here it is decoded:

Decoded - Infected Wordpress Themes Still On

After analyzing these two pieces of code it was clear that the code included hidden advertising. Making matters worse the links can redirect your web traffic to sites with worse effects such as spreading malware.

So we wanted to dig further and see what other files we can find that have these "unauthorized advertising™ codes "our list of infected themes grew:

Infected Wordpress Themes Grew

The encoded PHP code in hxxps:// revealed the following:

The encoded PHP code in Infected Wordpress Themes

And after decoding the PHP code we get:

After decoding the PHP code in Infected Wordpress Themes

WordPress provides many theme choices ranging from free to paid.

Although the free themes may come inclusive of display advertisements while the paid themes are less likely to have them, either version are susceptible to being hacked and displaying unwanted advertisement and redirecting your users to other sites.

Our findings realized that the developers of these codes use a multilayered encryption technique making it extremely difficult to discover and remediate.

Attempting to delete the code base64_decode may not be enough.

So we recommend starting by:

1. Backing up your website before any cleanup action is taken

2. Scan your website to locate the infected files

3. Remove all infected themes + files + plugins

4. Install a default WordPress theme to identify whether the code is still present

This is just a start in your remediation process, although it is very likely that there are some malicious files within your website root, wp-content or even between your WordPress files.

Having malware removal experts investigate and remove the files is highly recommended to ensure a completely clean website.

If your experience such an infection, please feel free to contact us at cWatch Web for a free consultation that will include a complete website scan as well as the removal of any found malware.


Goshko Stanislav - Security analyst

Goshko Stanislav

Security analyst with deep knowledge of network security and

reverse engineering.

At this moment working at COMODO, more

information can be found at:

Enterprise website security

Related Resource

Cheap CDN

Best CDN List


Pay as You Go CDN

Free CDN

Website Vulnerability Scanner

Website Malware Scanner