Spam SEO in my website build with Beaver

Unfortunatly, I discover bad code in my page : 2 javascript and a div with display:none containing link to porn website.
I opened a lot of php files without to find where this code is injected. Perhaps somebody could help me ?
The code is just after the header and just before the footer


I think the first one is called by do_action( ‘fl_after_header’ );
or by do_action( ‘fl-before_content’);
or with FLTheme::header_layout();


but I don’t find where these do_action are.
Do you have an idea ?

Thanks a lot !!!

Its likely your malware is using the WP wp_body_open action which all themes use. Removing the action is not going to remove the malware, install a malware scanning plugin, wordfense something like tht and let it scan your files, click the reinstall wordpress button and manually delete and reinstall your theme and plugins, dont forget to change your passwords.

Thanks a lot for your quick reply !
I already installed Wordfence, Sucuri, Antimalware … The last one had found bad files and a bad entry in the database. So, it get them in quarantine (I hope the word is good, i’m french). Perhaps the malware is removing but the code stays into a php file ?

is it possible to find this wp_body_open ?

You speak about the reinstall wordpress button. Where is it ?
I have a copy of the website, it is 3-4 month old. But it seems to be clean. Perhaps I can just copy its files to the prod website ? I’m afraid of losing elements, there are many plugins …

It might not even be that action, its a core wordpress action that all themes use. If you are still seeing the spam then your site is still infected, removin the action wont remove the malware. Perhaps you should ask your host, some of them help to cleanup malware.

Thanks for the advice. But it’s really annoying because I’ve been searching all the folders for strange filenames for several days; opening files, to find malicious code, looking of file date if a file would have a date that not match any other …
I don’t understand why none of the security plugins can tell me what the infected file is !