The WordPress boo-boo turned out to be a worm

blog

The "Cannot redeclare _verify_isactivate_widget()” turned out to be a worm and not a WordPress error. After I ended up deleting most of my themes, I began digging around to see if it’s really an error and what caused it. It turns out to be a worm that spreads by infecting the functions.php file of every theme installed.

I have a feeling I know how it infected my blog. When I was using a plugin called Theme Test Drive I decided to delete one of the inactive themes and replace it with a newer version from the WordPress.org repository. I can’t remember what theme it was, but the first time the site was disabled was when I tried disabling that theme.

I assumed it had something to do with how WordPress 3.x handles the sidebar widgets, but apparently it’s not the case. The only way to remove the infection (I hope it’s for good) is by disabling the blog and do either of the following via FTP:

  • Copy all your themes to your local machine and clean the bad code from each functions.php file in each of your themes and reupload
  • OR, If you have the original clean copies of your themes, reupload/replace functions.php from all of your themes (there might be more than one functions file per theme)

Trying to edit the functions file via the WP editor will do nothing, as soon as you save the file the code will be reinserted.

This post (4th on the thread) shows a similar code that yields the same error when you try to activate some themes, the only difference with what I had is the first line of code (8th on the post) was function _verify_isactivate_widget(){, but the result was the same. This post also has a similar guide, though everything comes down to editing the files one by one, or replacing the affected files with clean versions from the original themes (if you still have the original files).

I think the reason some themes crash is that the infected code adds a closing php tag just before adding itself, so since many themes simply don’t have one there it pretty much breaks the file.

For now all the themes seem to be working fine.

9 Comments

  1. Thank you for posting this. I downloaded a free theme and found similar suspicious code in it. I googled the function name and ended up here. Good thing I never activated the theme!

    1. I’m glad you found out about this before activating the theme, you saved yourself a lot of trouble.

      1. Yeah I intended to try it out in a virtual machine because the code looked suspicious. From what I read, it looked like it was going through all the files in the themes directory and writing something into them.

        1. That’s exactly what it does, it infects every theme’s function’s file, I just don’t know what exactly is the point of this worm though.

  2. Pingback:OOPS! I think I made a boo-boo

  3. Got that too, but it’s local. Did you manage to identify how the worm works?

    1. Not really, I’m still not sure if it got to my WP install via a theme or a plugin, but I ended up deleting most of my themes and replacing the functions file on all of the ones I kept. I’ve been checking the files once in a while and they seem to be still intact, but it would be nice to find a permanent solution other than replacing files.

      1. A permanent solution would be to write a PHP function that does the reverse of the “said” worm. As the code is the same in all functions.php files, just find it and replace it with nothing (using the str_replace() function, and fopen(), fput() and fclose()). I did clean the files manually, too.

        1. That would be nice, but I’m a noob at PHP :(….but I’m sure the internet will love you if you come up with one, whatever saves us WP admins the time of having to clean files manually.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.