Remove WordPress Hack

Some days ago we had a problem with an unwanted “Banner” on our WordPress-Blog – promoting  It’s quite easy to find and get rid of the problem. But we did not find a lot of solutions online (mostly related to the Lightbox-PlugIn).


Find the source of the hack…

  • Search with Linux, MacOS X or BSD:

We had a look in all files of our WordPress-Installation with “grep” (It’s a nice Linux command-line tool –

grep slot -r DIRECTORY/*

This command looks into all files for the string “slot”.


  • Search with Windows and “Notepad ++”:

Windows and Notepad++

In our case the SocialMedia Share-Button PlugIn was the injection/hack !

…and get rid of it

We just deleted the PlugIn – we don’t want such a messy PlugIn.

Getting deeper

Looking into two file in the PlugIn-directory is quite interesting:

  • widget.php contains the Link/Code


  • welcome.txt seems to collect the IPs of the LogIn-Users/Admins