Follow @BPSPro

WordPress Parse Errors – Unexpected Character is Displayed Error Message

Comments Off RSS Site Feed Author: AITpro Admin
Published: May 14, 2010
Updated: May 14, 2010

The orginal question was regarding a WordPress website that was getting Parse errors all of a sudden.  The particular unexpected character in the error message was the less than character <.  Typically used in to open or close coding statements.  It is possible that their was a coding error, but more likely the website was hacked.

It appears that your WordPress website has been hacked. I checked your Wordress default login script and you can access your login page > yourdomainname/wp-login.php. Also I can view the yourdomainname/sitemap.xml for your site. So this tells me that it is not a website sitewide problem ie files or folders moved, or PHP wide or SQL wide problem. It is an isolated code error. I have seen this parse error a million times before on hacked WordPress websites. 99.99% sure that this was an XSS – Cross Site Scripting attack, which will inject malicious code into any vulnerable php pages or .js files on your WordPress website that are not protected by an .htaccess file that contains Query String Filter code to block malicious XSS code exploits. I have added the .htaccess file below that I use on all of my websites and all of my clients websites. It is 100% effective at blocking XSS Query String Exploits.

The damage is already done to your WordPress website so now you have some repair work ahead of you. I see that the site is hosted on GoDaddy. GoDaddy has an automated backup system that backs up your entire website on a regular basis. It is very similar to an XP System restore ie Calendar with a restore point (calendar date) that you pick to restore from. It is kind of confusing if you have never done a GoDaddy restore from backup before. I recommend you have a GoDaddy Tech walk you through it. Anyway basically what happens is you are copying backed up website files from a GoDaddy server backup location to your current site in a new folder. Since they will be copied to a new folder you will then have to manually copy those files and folders – overwriting your hacked or damaged WordPress website files. The extra step is intentional – Done this way to protect you and GoDaddy from accidentally performing an automatic restore and overwiting your website files by mistake.

Most likely your WordPress SQL database has been compromised as well. Instead of trying to explain what you will need to do here to fix that I definitely recommend you contact GoDaddy Tech support to have them check your WordPress SQL DB. Typically an additional table is created by hackers instead of getting into your main WP SQL DB. It acts as a piggy back DB table and I guess just as a joke usually has a name that contains “piggy” in it. Silly stuff these guys do I swear.

CAUTION: this .htaccess file code is only for WordPress websites installed at the root of the domain. Add your folder name / path to the RewriteBase and and Rule if you site is not installed in the root. For HTML sites just replace index.php with index.html.
CAUTION: this is a very restrictive .htaccess file that interferes with a couple of admin functions because the Query filter detects the execution of those commands as attack threats and they are blocked. Those areas are configuring Widgets and Installing new Plugins. What I am doing for now is until I write a WordPress plugin to automate this is to have 2 .htaccess files on the site root domain. 1 named secure.htaccess and one named default.htaccess. To enable either one you just remove the first part of the file name so that what you left is just .htaccess. This is a bit of minor nuisance for now until I write that WP plugin, but consider the alternative – hours of fixing your hacked website. ;( I have not decided on a name for the Wordress Plugin that I will be writing in the near future so I can’t tell you what to look for in the near future. Maybe WP-LockDown or WP-BulletProof? If you want you can register at my site and when I release my new plugin I will email anyone who has registered at my site. I HATE SPAMMERS so the only time you will ever get an email from me is if you requested for me to contact you.

NOTE:  The rest of the answer is no longer relevant and was not posted here since the BulletProof Security Plugin has now been released.

Official WordPress Forum – Parse Errors

Skip to toolbar