Apparent Atahualpa theme file triggering AV trojan warning
 

Although my site seems to be functioning normally, my Avast antivirus is sending a trojan alert when I try to download theme backup files. I have been able to identify the problematic file as /public_html/wp-content/themes/atahualpa/functions/bfa_get_option.php. This file has a different (more recent) date from all of the other files in the directory.

I notice there is also a very similarly named file in the same directory, bfa_get_options.php, which has the same date as all the other files. Should wp-content/themes/atahualpa/functions/ contain both a bfa_get_option.php and bfa_get_options.php file, or can I safely delete the get_option file?

There is NO bfa_get_option.php in the theme - there is a bfa_get_options.php

I would take a look at that file BEFORE you delete it to see what was in it. If it is no the normal code it is probable that your ite has been hacked and you need to deal with that.

MY AV program wouldn't let me open bfa_get_option.php before deleting (but I'm OK with that). I deleted it from my WordPress installation and happily, my site didn't break. I am now able to create downloadable backups of my theme files (though thanks to your excellent save all settings option, I was not nearly as freaked out that I couldn't save backups as I might've been - I have done a LOT of customization on my site, so I really appreciate that feature).

I'm not sure what else to check. I asked my ISP, but they didn't reply. Anyway, I know that's not your problem. Thanks a lot for the swift reply.

it's too bad you deleted it, you have lost a peice of forensic evidence. Looking at the date the file was las changed would have been helpful because you would know the point when you may have been hacked.

to be safe, you should do a google search 'wordpress site hacked' and follow thru with the suggestions you find.

I did note the date before deleting - Sept. 6th. Surely I don't want to open a file that has been identified as a possible trojan on my computer?

'I' would have opened it in a text editor to see what was in it. Comparing it to the original code would have shown what was changes/added and given a clue as to what hack was used. This would be something you could take to your host

As it is, it the file was changed September 6th and you didn't do it, you have been hacked and that might not be the only file that was compromised.

I'd also look thru ALL the files in the wordpress root to see if anything else was changed on September 6th, then I would reinstall all the wordpress files, plugins and all themes.

change all passwords in the database and on your channel and ftp accounts and run a scan on your pc and anyother pc that you or anyone with admin rights may have used to access the site.

When I do a settings export, does that settings file include my css inserts, or do I need to back those up separately?

The atahualpa export contains ALL the atahualpa settings. Since the CSS inserts are an atahualpa option it gets exported

Excellent! I know I already said thanks for that feature, but after spending way too much of the day screenshotting the settings of every plugin and widget I use in preparation for reinstalling my site, I have a whole new level of appreciation for it! How I wish everyone else would make you their role model!