If there is a one-line include statement @include in the index.php in the top directory of WordPress or in the theme, etc., it is highly likely that the site is infected with malware.


Malware infection by wordpress@include

This malware is the most commonly detected type of malware.
It modifies and embeds include statements with the following characteristics in the top directory of WordPress or in a PHP program called index.php included in the theme.

Random string comments above and below the @include statement
Tampering with a single line of @include that reads another file on the server

What does this tampering do?

The function of this tampering is basically code that reads and executes the body of the malware in a separate folder from index.php, which is executed on every page on the site.

This causes the main malware function to be executed on every page of the site when a user visits the site.
The @ in @include means that the error is not displayed even if the loading destination disappears.

The main body of the malware being loaded by @include is located at the path indicated by the string that follows it, but in many cases it is obfuscated so that it is difficult to tell where it is just by looking at it.
Click here for a tool to remove the obfuscation.

The random string of comments above and below the @include statement are identifiers that the malware itself or other backdoors can use to inspect the malware to see if the embedding has been erased by tampering.

What if @include tampering is found on a WordPress site?

In this case, it means that the WordPress site has already been compromised and hackers are free to tamper with the site. It is highly likely that there are multiple malware embedded or vulnerabilities in the site, not just @include and its body.

Therefore, malware removal and security measures must be taken for all sites on the server.
(If one site on the server is infected, the infection can spread to other sites across folders starting from that site.)

Malware scanning and removal can be done to some extent with plug-ins.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Reference articles on security measures
5 Free WordPress Security Measures

Related Posts:

  1. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  2. What is Japanese SEO Spam, a type of WordPress malware?
    We will explain about Japanese SEO Spam, which is a malware that embeds fake Japanese product sites in WordPress....
  3. What are the strongest permissions to prevent malware infection in WordPress?
    We will introduce the strongest file write permissions (permissions) to prevent malware infection in cases such as repeated malware infections in WordPress....
  4. File containing index.html.bak.bak infecting malware index.php
    This section describes malware files including index.html.bak.bak that infects index.php....
  5. Chinese Malware (Backdoors) Increased in WordPress
    Recently, Chinese malware (backdoor) has been spreading through WordPress. We will explain about this malware....
  6. 10 unauthorized WordPress access files
    Here are the most common unauthorized accesses that hackers target WordPress as of September 2023....