The two most common PHP injections you will find in most CMS like WordPress are:




Thankfully ClamAV can pick these up without issue but a lot of times they are legitimate files that have been injected so you cannot just remove them.


Thankfully again, the injections are lazy and simply get placed on the first line of the PHP script however, on that same line is the opening PHP tag for the actual script so doing a find and remove all for the first line will break your install.


Using the following command will search ALL PHP scripts for the injection and output the path+filename to a file named ‘infected’.


# for i in USER ; do cd /home*/$i/public_html/ ; find /home*/$i/public_html/ -type f -iname '*.php' | xargs grep -l 'sF=\|qV=' >> infected ; done

*Replace the 4th word USER with the actual cPanel username.


Once done, I normally go through some of the infected files to ensure they are indeed infected, then run the following:


# for i in `cat infected` ; do sed -i 1d $i ; done

This first line will go ahead and remove the first line of all the injected files, however this will also remove the opening PHP tag so to put that back in order to not break the script(s) we now run:


# for i in `cat infected` ; do sed -i -e '1i\<?php\' $i ; done

And you are back in business.


Please note, this in no way ensures that your CMS is now cleaned and it in no way prevents the intruder from getting right back in, you should also do a clean install of WP, reinstall plugins, themes, etc. We have an article written below to guide you on how to do that.–a-wordpress-site-after-being-hacked/

Related Articles


  1. Can you please explain a bit better on what to do step by step, I followed the few steps you provided via SSH and nothing happened. Using the code you provided, nothing happens. Could you please provide a better alternative / code. I currently have 40+ files with these findings and I need to use this method to preserve them as best as possible.

    Thank you.

  2. Are you replacing USER with your cPanel username? I also updated the code in case your user doesn’t exist in /home as sometimes it can be else where like /home2 /home3 etc

    Just replace USER with your cPanel username, and copy / paste into SSH. This article also assumes you are using cPanel, if not, your path may be different so in that case, you can just cd into the folder where your WordPress install is and run:

    find . -type f -iname ‘*.php’ | xargs grep -l ‘sF=\|qV=’ >> infected

  3. Justin, thanks for the reply.
    Firstly, we do have cpanel and a VPS with WHM. And we have a Joomla site, I hope that is not much of a difference regarding this article and the code.
    And yes I am replacing the USER with the cpanel username.
    It just freezes for a few seconds then goes to home/USER/public_html.

    Any tips?

  4. That means it didn’t find anything then.

    Use this, in the public_html directory:

    find `pwd` -type f -iname ‘*.php’ -exec echo {} \; -exec head -1 {} \; | less

    This will show you the first line of every single PHP script it finds. 9 times out of 10 the injection will be within the first line of code. Just use the “Page Down” key on your keyboard to scroll through the scripts.

Leave A Comment?