Unwanted ads - my website might be hacked

Hello, I have recently noticed that my site has been displaying small text ads in the header section near the social icons. The ads are only showing up when using Google Chrome. I ran a Theme Authenticity Checker plugin and it indicates that there is “Encrypted Code Found”. The following line of code in the functions.php file was highlighted as the culprit: Line 7: “base64_decode(strrev($azland))));}…” would this be safe to delete?
Thank you so much.

Your website appears to be hacked. base64_decode is not included with theme and it is in most cases by used by hackers to hide the actual code from users. Removing it from header might not be enough since there might be some other code hidden somewhere.

At first remove this base64_decode code and then check if it doesn’t come back, if it does make sure to backup your website and start cleaning process. Your are definitely hit by some malicious attack but I am not yet sure how badly.

Thank you so much for your prompt reply. I removed the line of code mentioned above but the little ad is still there. I do understand that you are not general WordPress tech support but with me being new to WordPress and not very good at php, do you or anyone else have any recommendations of where I can go to learn the steps on how to clean up my site?

Thanks again,

If the ad is still there it means that the code recovered itself and it is spread elsewhere than just in header.

Since we can’t be sue what files are affected you should do the following things:

  1. Remove all themes (even default ones)
  2. Remove all plugins

Then install some default WordPress theme to see if this code is still there. If hackers were smart enough then code is added elsewhere than these files but this is the best way to start.

If the code is back then do a clean WordPress install and use only your current database (database can also be hacked then it would be even trickier to clean your website) and your uploaded media (images).

It is actually a very tricky process if you are not familiar with WordPress structure, logfile reading and some PHP coding because you need to trace down the main file or function which is used to install and restore this malicious code when you are trying to clean it.

So start with removing plugins and themes and check it it does anything and then continue from there. It is very likely that there is some malicious files in your website root, wp-content or even between your WordPress files.

There are also services that helps you to clean hacked websites and here is one such service: sucuri.net

Thank you so much Aigars for getting back with me and the info. I contacted my host provider and they did a scan and located all the infected files. I deleted the ones they indicated and reinstalled my theme. A rescan by my provider came up clean so hopefully all will be good now.
I really want to thank you for the information, as a “newbie” to the WordPress world, it’s the people like you that makes WordPress so great. Thanks again.

I’m glad that you managed to fix your website. Nice to hear that your hosting provider helped you with website cleanup because not many does this without charging extra or just ignoring it altogether.

Now make sure that you change your FTP password, WordPress password and other password associated with your website because you never know how hackers gained access to your website.