kirkstudio

https://www.languageofhitting.com/

This is still a conflict. I just discovered today that the themed profile page for theme my login gets redirected back to the real profile page. It does not happen when I disable all in one security.

Yes, first thing I tried, but then it would only print the sections marked “print-only” and not the rest. But after days of trying different things, I found that if I set the content selected by to WP template, then “print-only” started printing in addition to what was already printing. I think I can make a workable solution now.

Thanks,
Kirk

Never mind, I just had t increase the memory.

I tracked the issue. It was a conflict between your plugin and All-in-one wp security.

It had nothing to do with the htaccess rules the plugin set up, though. In fact I turned of all of the security settings, so essentially the security plugin was not doing anything, but there was still a conflict that was only resolved when I disabled the security plugin entirely.

I installed wordfence to help with security and that seems fine.

Thanks

Can you tell me what you are running to generate the:

Request URL:https://muhlenkamp.com/wp-admin/admin-ajax.php
Request Method:POST
Status Code:500 Internal Server Error
Remote Address:207.36.184.40:80

error? So I can do some trouble shooting.

This site is on a vps, so I have access to the error logs but I do not know what to look for. I can see the 500 error generated by the accessing of admin-ajax.php, but it does not give me any more info than that.

I have removed all of the htaccess rules created by all in one wp security plugin. Can you run that test one more time and let me know if you get the same error?

Thanks

I purchased this application through the theme jobseek, so your website will not let me submit a ticket as it does not have a record of me purchasing this plugin.

Not hacked all weekend. I think I got it. I am going to guess that the injection came through the dompdf software outside of wordpress, but once I removed it, I need to redo all of the above things a second time to remove all further injections.

No Luck, Hacked again last night. Now,

I have replaced all of the core files again,
deleted all of the plugins and reinstalled them,
reinstalled my theme,
combed through the uploads folder and found no files except for images,
changed ftp, mysql, wordpress passwords,
reset the wordpress keys

Does anyone have any other suggestions on what I can do to try to eliminate this injection or anything else I can do to try to figure out how it is being done?

Thanks,
Kirk

I think I found it. I went into my cpanel an looked at the raw access log to see all of the pages of my site that were accessed overnight. It looks like a file was added to another piece of software that I had in my root outside of the wordpress structure. It was dompdf, a software I used to use to create pdf documents. There was a malicious file inside it’s structure. I completely removed this, since I don’t use it anymore. I guess I will know tomorrow if this was the issue.

It happened again this morning.
The follow line of code is being injected into wp-includes/pomo/mo.php:

require_once dirname(__FILE__) . ‘/config.php’;

I just can’t figure out how they are doing it.

I believe it is maliciously, the one file changes every evening and wordfence tells me it does not match the wordpress core. One additional line is added.

Yes