frasermarlow

OK, one final post on this subject (I hope). Somehow, mysteriously while I was working on a second WP setup to do some testing, the exploit on my main WP site disappeared.

Now I am not one to jump to conclusions and blame the hosting company, but I do know the site is on an older (not WordPress dedicated) hosting environment, and as I mentioned @godaddy in the thread, I am wondering if my speculation wasn’t correct: the issue was with the shared server and quietly got fixed.

This would make sense since you would need higher level access to the server to exploit the root-folder of the various domains.

This said, I would love to get back my two days of billable time and all the files I purged off my server as I worked round the clock to tackle this issue :-/

Additional note: besides restricting FTP access to one user and changing the password to a long randomly generated one, I have changed the log-in on the WP install to only using CLEF, so those two doors are fairly well secured. I must still have a window open somewhere.

OK, thanks and understood.
I followed Mark’s notes, purged the entire site, changed all passwords (WP-admin and FTP), I reinstalled WP from the GoDaddy console, Reintalled the Theme from new. The only files I brought back from the original install was the uploads folder (which contains only images) and then I reloaded the database from an SQL export.

A couple of hours after I complete the reinstall, the same hack reappeared.

This said I have a second instance of WordPress running on the same server for another project and that one has not been compromised.

So to pick up from my duplicate post, I am curious to get pointers on how this hack can reference PDFs listed on my server (ostensibly) such as [ redacted ] when I can’t locate any of these may PDFs in my file system and the .htaccess file looks clean.

Thanks

Hi Mark, you are correct. The issue reappeared a few hours later. Also the XML site map is compromised in a major way. This seems quite a widespread attack on many WP sites. I am surprised not to find any others documenting this issue, but maybe I am just not finding it?

Thanks for the links – it does look like an overhaul of the accounts, and a fresh install might be the logical way to go.

Ugh.

You can also try restarting your browser and using anonymous or incognito mode (depending on the brwoser you use). Others have reported this issue and claim clearing the local browser cache was the solution:

418 Unused page error

You might have an issue with file permission settings on the server. Do you have FTP access? If so take that route, and find the files in wp-content/themes/name_of_your_theme (ideally you have a child theme set up!).

Sorry: correction that should be the WP-includes folder. Not the WP-admin one.

When I have encountered a challenge like that, it is worth trying several things:

1) selectively disable plug-ins and see if that sorts the issue.
2) try with an alternative theme and see if it is theme-related
3) If you kept a fresh copy of the files, overwrite the entire wp-includes folder via FTP (no need for CPanel to do this) and start with a fresh copy.

Please also let us know if this has just started acting up or if this is a new install (and has been an issue from the initial install). What theme are you using? I was using Avada on GoDaddy and had to boost the memory allocation for better performance.

I seem to have found a resolution, so I will document it here for the benefit of anybody else facing the same issue. I overwrote the entire WP-admin folder, and this flushed the issue out (i.e. these are not links in the WP database, but somehow fed in via js or some other method.) I have backed up the old set of files and will do a comparison to see if I can spot the exploit.

Hi Kevin,

Use the Chrome or FF browser in anonymous mode. This would help with any browser-caching or other account conflicts.

Also can you confirm your computer has decent speed when accessing the net otherwise (i.e. when doing something other than working in WordPress)?

Give that a go and let us know if it helps.

Hi Hunter.
I use GoDaddy on several installs and have not had issues in terms of GoDaddy keeping the lights on. Strangely their phone support is much better than their online chat support, for what that is worth. But they do draw the line at providing application support (i.e. as long as WordPress is running and the database is up, from then on it’s up to you.

In my experience some themes perform better than others. I am not sure if this is GoDaddy related, but the issue you are describing is similar to issues I have seen (for instance with the media uploader hanging). The only solution I have found is to switch themes or overwrite the WP-includes folder with a fresh set of theme files.

This said, if you can give us a more detailed eplanation of the issue, we might be able to help – for example assigning more memore to WordPress can be done on GoDaddy by editing the wp-config.php file.

Additional note – this exploit is pointing to PDFs pulled form my site such as [ redacted ] but I can’t locate that in the root folder or anywhere else on the server… Any clues where that might be hidden?

It’s under the generic WordPress menu ‘Appearance’ in the admin console.
Then look for ‘Theme Options’
Then look for the ‘tab’ called ‘Blog’
Then scroll down and it’s second option from the end called “Single — Related Posts”… “Shows randomized related articles below the post”

Hey Max, can you provide a link so we can see what you mean? This will probably require an override in your child theme functions.php if it can’t be endled in the homepage page template … Thanks.

Also, regarding the question of changing the color of links, these items are nested, so in your custom CSS file you need to specify the full depth of the style as follows:

.widget_recent_entries > ul > li > a { color: red; }

But please don’t use red because it’s an angry color.