Spam links posted in my Wordpress blog posts

by Toby A
87 replies
  • WEB DESIGN
  • |
Hi folks,
I am working on a wordpress site and have hidden it from the public whist I'm doing this by using a Coming Soon plugin by SeedProd (I also had the Mojo plugin doing this at the same time).

I recently noticed that when navigating to my home page, or a post, the page would auto redirect to some other website. When this happens, the first URL I see in the browser address bar is adrequest[dot]xyz/lady[dot]php, and then I see it change again to the URL of another site which then loads up.

I have looked online for help, but it seems that the popular plugins Akismet and Spam Bee seem to be designed to manage spammy blog comments, and not spam injected into the actual posts themselves.

Does anyone know how to:

1. Prevent these people (if you can call them that) from placing more links into our WP posts and pages?
2. Remove the spam links they have already added?

Any help would be very much appreciated.
Thanks for reading
#blog #links #posts #spam #wordpress
Avatar of Unregistered
  • Profile picture of the author Toby A
    Update: I have now accessed my site database via the CPanel, and removed the spam javascript.
    I have also changed the database user, and new db user has new password.

    I have also changed some other passwords.

    However, I am still left wondering how they got into the website? ... Also, if you have any suggestions as to how to prevent this from happening again, I'd be grateful for your feedback.
    {{ DiscussionBoard.errors[11474839].message }}
    • Profile picture of the author Arta S
      Can you elaborate on how did you fix it? What did you remove exactly?
      {{ DiscussionBoard.errors[11475256].message }}
      • Profile picture of the author Toby A
        Originally Posted by Arta S View Post

        Can you elaborate on how did you fix it? What did you remove exactly?
        Thanks for replying.
        I removed this code from here in phpMyAdmin: https://www.screencast.com/t/JamkzIsChBtN

        I assume this box was supposed to be empty[?] .. I'm not sure because I'm not a Dev.
        {{ DiscussionBoard.errors[11475268].message }}
        • Profile picture of the author Arta S
          You did correct.

          This virus is an advertising malware that can come to your wordpress and spread to all your theme, plugins and database. Just be sure you remove any weird user, change file permissions correctly (Files 644 and folder 755).

          Just to be sure, change all your password, database password and as well change file permission for wp-config.php to 444 (Readable but not writable)

          Since this is just javascript, most common server side antivirus won't detect it. I made a report a few minutes ago to major security plugin companies.

          Note: Don't install anything you find on the internet. Always review the files.
          {{ DiscussionBoard.errors[11475289].message }}
    • Profile picture of the author bdbdhdhrhrhr
      Banned
      [DELETED]
      {{ DiscussionBoard.errors[11480357].message }}
  • Profile picture of the author cheaphosting
    Might be worth using the WordPress export plugin for all content, exporting theme settings and then doing a re-install. Did you purchase the theme or is it a potentially dodgy download?
    Signature

    Fast Stable Web Hosting - UK (London) & US (NYC) datacenters / 1 Click FREE SSL / Pure SSD Hosting - www.cheapwebhosting-uk.co.uk

    {{ DiscussionBoard.errors[11474950].message }}
  • Profile picture of the author secretja
    This is because you use nulled theme, that's for sure.
    {{ DiscussionBoard.errors[11475196].message }}
    • Profile picture of the author Toby A
      Originally Posted by secretja View Post

      This is because you use nulled theme, that's for sure.
      Please can you elaborate?

      The theme is Altitude Pro (works with Genesis Framework), by StudioPress.
      {{ DiscussionBoard.errors[11475272].message }}
      • Profile picture of the author Arta S
        Not necessarily the theme. It can also get injected by a plugin.
        {{ DiscussionBoard.errors[11475291].message }}
        • Profile picture of the author Toby A
          Originally Posted by Arta S View Post

          Not necessarily the theme. It can also get injected by a plugin.
          Thanks again

          I think my active plugins before the problem were:

          Always Edit in HTML
          Coming Soon Page & Maintenance Mode by SeedProd
          Duplicator
          Easy Genesis Logo Uploader
          Genesis Simple Edits
          Genesis Simple Hooks
          Google Analytics for WordPress by MonsterInsights
          Hello Dolly
          Jetpack by WordPress.com
          MOJO Marketplace
          OptinMonster API
          WPForms Lite


          Others are:

          Akismet Anti-Spam
          Antispam Bee
          Theme Authenticity Checker (TAC)

          _ _ _ _ _ _ _ _ _ _

          Originally Posted by Arta S View Post

          Just to be sure, change all your password, database password and as well change file permission for wp-config.php to 444 (Readable but not writable)
          I changed my passwords, but I haven't tried to change the permissions before, and lack experience in this area.

          On this site;
          https://www.wpbeginner.com/wp-tutori...-may-not-know/ ... section; 6. Override File Permissions it talks about 0644 but not 444, is this the action you were referring to?

          Also, do you have a link that can explain what you said here?
          Originally Posted by Arta S View Post

          change file permissions correctly (Files 644 and folder 755)
          {{ DiscussionBoard.errors[11475329].message }}
          • Profile picture of the author Arta S
            Pretty much the same link explains that. All you need is to learn file and folder permissions and what they mean. 0444 means read but not write. This will prevent spammy plugins or malware editing the wp-config.php file. This file contains your database information and must be well protected. Unfortunately wordpress makes it too easy for beginners to make mistakes that leads into security problems.

            Read what wordpress says about file permissions, also you can learn about 0444 or 0400 file permission here.
            {{ DiscussionBoard.errors[11475638].message }}
            • Profile picture of the author Toby A
              Originally Posted by Arta S View Post

              Pretty much the same link explains that. All you need is to learn file and folder permissions and what they mean. 0444 means read but not write. This will prevent spammy plugins or malware editing the wp-config.php file. This file contains your database information and must be well protected. Unfortunately wordpress makes it too easy for beginners to make mistakes that leads into security problems.

              Read what wordpress says about file permissions, also you can learn about 0444 or 0400 file permission here.
              I have changed the file permissions for wp-config, but it seems HostGator enables you to do this without typing 444 etc:

              https://www.screencast.com/t/Po0AxY6OdV


              ... I have just checked my site again and I see that a new spam link has been added somewhere. I will have to remove it.
              {{ DiscussionBoard.errors[11475999].message }}
          • Profile picture of the author DABK
            Why do you have all those plugins?


            Did you ever look at what JetPack does? Or at Hello Dolly?



            Originally Posted by Toby A View Post

            Thanks again

            I think my active plugins before the problem were:

            Always Edit in HTML
            Coming Soon Page & Maintenance Mode by SeedProd
            Duplicator
            Easy Genesis Logo Uploader
            Genesis Simple Edits
            Genesis Simple Hooks
            Google Analytics for WordPress by MonsterInsights
            Hello Dolly
            Jetpack by WordPress.com
            MOJO Marketplace
            OptinMonster API
            WPForms Lite


            Others are:

            Akismet Anti-Spam
            Antispam Bee
            Theme Authenticity Checker (TAC)

            _ _ _ _ _ _ _ _ _ _



            I changed my passwords, but I haven't tried to change the permissions before, and lack experience in this area.

            On this site;
            https://www.wpbeginner.com/wp-tutori...-may-not-know/ ... section; 6. Override File Permissions it talks about 0644 but not 444, is this the action you were referring to?

            Also, do you have a link that can explain what you said here?
            {{ DiscussionBoard.errors[11476022].message }}
            • Profile picture of the author Toby A
              Originally Posted by DABK View Post

              Why do you have all those plugins?


              Did you ever look at what JetPack does? Or at Hello Dolly?
              I thought Jetpack was for SEO. H Dolly is a novelty plugin and one of the oldest, no real functionality.

              ... I was planning to use Yoast for SEO. Why do you ask?
              {{ DiscussionBoard.errors[11476037].message }}
  • Profile picture of the author Lamiasha
    [DELETED]
    {{ DiscussionBoard.errors[11475609].message }}
    • Profile picture of the author Toby A
      Originally Posted by Lamiasha View Post

      you can easily remove those links from your website. you just have to log in to your admin page of wordpress.
      Thanks Lamiasha, I tried that initially but they just kept reappearing.
      {{ DiscussionBoard.errors[11475984].message }}
  • Profile picture of the author Toby A
    Thank you Arta ... I will read through the links and report back.
    {{ DiscussionBoard.errors[11475708].message }}
  • Profile picture of the author Abdou Senni
    Maybe you are using a hacked premium theme or plugin
    {{ DiscussionBoard.errors[11475709].message }}
    • Profile picture of the author Toby A
      Originally Posted by Abdou Senni View Post

      Maybe you are using a hacked premium theme or plugin
      Hi Abdou, I am going to contact StudioPress, the people who made the theme.
      {{ DiscussionBoard.errors[11475988].message }}
  • Profile picture of the author Ownly Digital
    Use Akismet Anti-Spam to avoid spammy links in your WordPress blog
    {{ DiscussionBoard.errors[11475827].message }}
    • Profile picture of the author Toby A
      Originally Posted by Ownly Digital View Post

      Use Akismet Anti-Spam to avoid spammy links in your WordPress blog
      Isn't Akismet for blog comments only?
      {{ DiscussionBoard.errors[11475989].message }}
  • Profile picture of the author CloudAnalogy
    Use anti-Spam software or Plugin to avoid Spam user and link form your Blog
    {{ DiscussionBoard.errors[11475971].message }}
    • Profile picture of the author Toby A
      Originally Posted by CloudAnalogy View Post

      Use anti-Spam software or Plugin to avoid Spam user and link form your Blog
      Do you recommend a good WP plugin for this? ... most of the plugins I found were for blog comments.
      {{ DiscussionBoard.errors[11475990].message }}
  • Profile picture of the author ryanbiddulph
    I closed comments - after getting 11,000 legit ones - to avoid this spammy silliness
    Signature
    Ryan Biddulph, Blogger, Author, World Traveling Digital Nomad
    If you want to become a full time blogger you can buy my eBook here
    {{ DiscussionBoard.errors[11475995].message }}
    • Profile picture of the author Toby A
      Originally Posted by ryanbiddulph View Post

      I closed comments - after getting 11,000 legit ones - to avoid this spammy silliness
      I am not using comments, and the site is still hidden by a Coming Soon plugin - it has never been live, except for the Coming Soon home page.
      {{ DiscussionBoard.errors[11476001].message }}
  • Profile picture of the author Toby A
    PS: I notice in the browser address bar, it says Not Secure left of the URL. I assume this just means I don't have SSL.

    Update: I have installed plugin Easy Updates Manager, and set it to not allow any updates from themes or plugins.
    {{ DiscussionBoard.errors[11476012].message }}
    • Profile picture of the author Rain Shalom
      What web hosting company are you using so that i can help you with information in case the one i published can't help?
      {{ DiscussionBoard.errors[11482718].message }}
      • Profile picture of the author Toby A
        Originally Posted by Rain Shalom View Post

        What web hosting company are you using so that i can help you with information in case the one i published can't help?
        Hi Rain, it is HostGator.
        {{ DiscussionBoard.errors[11483092].message }}
  • Profile picture of the author shamim40000
    Don,t use any spam links in your wordpress website.Beacuse spam links will be dropped google ranking always.So don,t accept any spam comment like which comment have any link
    {{ DiscussionBoard.errors[11476226].message }}
    • Profile picture of the author Toby A
      Originally Posted by shamim40000 View Post

      Don,t use any spam links in your wordpress website.Beacuse spam links will be dropped google ranking always.So don,t accept any spam comment like which comment have any link
      I didn't add spam links.
      I didn't allow comments - there aren't any.
      {{ DiscussionBoard.errors[11476374].message }}
  • Profile picture of the author Harry Yaprakov
    Hi there,

    Google released a new disavow tool. Just create a .txt file on your computer, add all DOMAINS (not all links) in the file and upload it to the Disavow tool here.
    {{ DiscussionBoard.errors[11476291].message }}
    • Profile picture of the author Toby A
      Originally Posted by Harry Yaprakov View Post

      Hi there,

      Google released a new disavow tool. Just create a .txt file on your computer, add all DOMAINS (not all links) in the file and upload it to the Disavow tool here.
      Thanks, though looking at the Disavow feature, it seems that it's for backlinks. My spammy links are outgoing, not incoming.

      The Disavow page as text in a yellow box that reads as follows:

      Disavow Links
      This is an advanced feature and should only be used with caution. If used incorrectly, this feature can potentially harm your site's performance in Google's search results. We recommend that you only disavow backlinks if you believe that there are a considerable number of spammy, artificial, or low-quality links pointing to your site, and if you are confident that the links are causing issues for you.
      I remember when Google introduced this feature. Straight after the launch of the first Google Penguin algo update, 24th April 2012.
      {{ DiscussionBoard.errors[11476396].message }}
  • Profile picture of the author mafais
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[11476359].message }}
    • Profile picture of the author Toby A
      Originally Posted by mafais View Post

      Install sucury plugin in your WordPress.. It will automatically detect spam issues and will protect your blog from spammer..
      Thanks for the heads up on this.

      Q: Have you used Sucury successfully, and have you experienced this malware infestation before?

      This guy 'WP Crafter' talks about Sucuri in this video: youtube.com/embed/t6rCkgd9MCY
      ... though he also rates Wordfence and iThemes Security as the best plugins, with iThemes being his favourite due to not slowing down his sites (unlike Wordfence)... his words, not mine.

      If anyone has any experience using any of these plugins, or other similar ones, pls do share your views
      {{ DiscussionBoard.errors[11476400].message }}
  • Profile picture of the author LisaGeorge
    [DELETED]
    {{ DiscussionBoard.errors[11476643].message }}
    • Profile picture of the author Toby A
      Originally Posted by LisaGeorge View Post

      In these cases you can use Google Analytics and Search Console.

      Ans 1. You can block these type of spammy sites by using "Filter" in Google Analytics. Just Follow these steps:

      A. Login into Google Analytics
      B. Go to Admin
      C. Go to Filter
      D. Add Filter
      E. Add Filter Name
      F. Select Filter Type - Custom
      G. Filter Field - Campaign Source
      H. Filter Pattern - Add Spammy Site
      I. Save

      2. You can use Word-fence Plugin in WordPress for removing Spammy links from website.

      3. Use Disavow Links Tool from Search Console to delete Spammy links.

      I hope this will help you for your website.

      Good Luck!
      Thank you for replying
      My response:

      1. Surely G.Analytics can't actually affect the website itself? ... I assume this is a measure to tell Google that I don't to take responsibility for the spam links.

      2. Thanks. I will use a plugin as soon as Hostgator have completed their analysis.

      3. Disavow is for stating you don't take responsibility for certain backlinks, not links pointing from my site to other sites (See post 29 above)
      {{ DiscussionBoard.errors[11477684].message }}
  • Profile picture of the author dezpair
    Perhaps add a captcha to the comment submission form.
    {{ DiscussionBoard.errors[11476644].message }}
    • Profile picture of the author Toby A
      Originally Posted by dezpair View Post

      Perhaps add a captcha to the comment submission form.
      One of the sites effected is hidden behind a 'Coming soon' plugin, and none of my sites allow comments except for just one.

      The problem isn't comment spam, its a malware hack causing an automatic page redirect to other sites which I have no affiliation with at all.
      {{ DiscussionBoard.errors[11477685].message }}
  • Profile picture of the author gator1985
    You can download a wordpress security scanner to remove malware and other issues then you can use a plugin that only allows users to authenticate there comments.
    {{ DiscussionBoard.errors[11476685].message }}
    • Profile picture of the author Toby A
      Originally Posted by gator1985 View Post

      You can download a wordpress security scanner to remove malware and other issues then you can use a plugin that only allows users to authenticate there comments.
      Thanks

      Re "wordpress security scanner", what do you recommend from your experience?
      {{ DiscussionBoard.errors[11477687].message }}
  • Profile picture of the author michaelswengel
    Welp, that's terrifying.

    I'm glad you got it taken care of. Some people are just jerks.
    Signature
    Free Video Course! Create a massive list of engaged subscribers FAST!
    Watch the course here: https://listbootcamp.com
    {{ DiscussionBoard.errors[11476771].message }}
    • Profile picture of the author Toby A
      Originally Posted by michaelswengel View Post

      Welp, that's terrifying.

      I'm glad you got it taken care of. Some people are just jerks.
      I know, tell me about it

      Though I'm not out of the woods yet. I will wait for the web host to report to me, and then I'll install a good security plugin.
      {{ DiscussionBoard.errors[11477717].message }}
  • Profile picture of the author ncodetech
    In this case, you can remove all spammy links from your blog spots. If you don't do this then your blog spot may lose ranking from google search engine.
    {{ DiscussionBoard.errors[11477423].message }}
  • Profile picture of the author Arta S
    I did some research about this so far called "Virus". I managed to find an infected plugin and installed it on a test wordpress install.

    In fact it is an advertising malware that is found in nulled themes and plugins. The scenario is that you download a theme or a plugin that is already infected by a javascript malware that redirect the first time users from your website to their desired destination, where they then redirect the traffic.

    Junk traffic, I wonder how does this add value to their cause!!

    The malware looks like this: Screenshot
    Since this is a javascript malware, it is added at the top of .js files in your theme or plugin.

    I discovered it by Imunify, a cPanel antivirus that can be accessed via root level users on the server. So if you are unsure about how to identify it the problem, ask you hosting provider to run a scan for you. Don't be surprised if the hosting did not honor your request as you are 100% responsible for what's hosted on your account.

    Steps to confirm the existence of this virus:
    This virus is new and unknown to many antiviruses and since it is based on javascript, its hard for security tools to detect them so you need to do some manual work here.

    1- Use incognito in browser
    Try visiting your website in incognito mode. This way you will know if your website traffic is being redirected.

    2- Run a Scan via a third-party
    Use SiteChek by Sucuri to see if you are infected.

    3- Install a Security Plugin
    Among all, the best is to Install Sucuri Wordpress Plugin for a quick scan.

    4- Search locally
    Download a full copy of your website as an archive file on your computer and then try searching in that folder for the phrase "var _0x44tbc1" or "eval" (this text is a part of the malware code so if it exists, the search will lead to results with files that are infected)

    What to do if you found out that you are infected
    You are at your own mercy, there is no quick way to bulk edit these files unless you have the right tools. What I did was, I downloaded all the files on my computer, install Sublime and by the help of the article Search and Replace -- Multiple Files

    Basically, I opened all the js files in Sublime, then using the article mentioned above, I told the sublime, wherever you find this text (Screenshot), replace it with nothing. This way it removes the javascript malware from the file. Then saved the file and uploaded it back.

    IMPORTANT: The permission for the infected files are set to 0777 by the infector, you must set the correct file permissions for your wordpress install. 0644 for files and 0755 for folders.

    If you are familiar with SSH, you can run the following commands:
    find . -type d -print0 | xargs -0 chmod 0755 # For directories
    find . -type f -print0 | xargs -0 chmod 0644 # For files

    Good luck.
    {{ DiscussionBoard.errors[11477425].message }}
    • Profile picture of the author Toby A
      Originally Posted by Arta S View Post

      I did some research about this so far called "Virus". I managed to find an infected plugin and installed it on a test wordpress install.

      In fact it is an advertising malware that is found in nulled themes and plugins. The scenario is that you download a theme or a plugin that is already infected by a javascript malware that redirect the first time users from your website to their desired destination, where they then redirect the traffic.

      Junk traffic, I wonder how does this add value to their cause!!

      The malware looks like this: Screenshot
      Since this is a javascript malware, it is added at the top of .js files in your theme or plugin.

      I discovered it by Imunify, a cPanel antivirus that can be accessed via root level users on the server. So if you are unsure about how to identify it the problem, ask you hosting provider to run a scan for you. Don't be surprised if the hosting did not honor your request as you are 100% responsible for what's hosted on your account.

      Steps to confirm the existence of this virus:
      This virus is new and unknown to many antiviruses and since it is based on javascript, its hard for security tools to detect them so you need to do some manual work here.

      1- Use incognito in browser
      Try visiting your website in incognito mode. This way you will know if your website traffic is being redirected.

      2- Run a Scan via a third-party
      Use SiteChek by Sucuri to see if you are infected.

      3- Install a Security Plugin
      Among all, the best is to Install Sucuri Wordpress Plugin for a quick scan.

      4- Search locally
      Download a full copy of your website as an archive file on your computer and then try searching in that folder for the phrase "var _0x44tbc1" or "eval" (this text is a part of the malware code so if it exists, the search will lead to results with files that are infected)

      What to do if you found out that you are infected
      You are at your own mercy, there is no quick way to bulk edit these files unless you have the right tools. What I did was, I downloaded all the files on my computer, install Sublime and by the help of the article Search and Replace -- Multiple Files

      Basically, I opened all the js files in Sublime, then using the article mentioned above, I told the sublime, wherever you find this text (Screenshot), replace it with nothing. This way it removes the javascript malware from the file. Then saved the file and uploaded it back.

      IMPORTANT: The permission for the infected files are set to 0777 by the infector, you must set the correct file permissions for your wordpress install. 0644 for files and 0755 for folders.

      If you are familiar with SSH, you can run the following commands:
      find . -type d -print0 | xargs -0 chmod 0755 # For directories
      find . -type f -print0 | xargs -0 chmod 0644 # For files

      Good luck.
      Thanks Arta.

      Re "1- Use incognito in browser" Thanks. Good idea.

      Re "4- Search locally", I downloaded a copy of one of my infected sites using Duplicator. When searching for text within the files, I could see multiple results for "var _0x4" but if I included your entire search text it yielded no results, even if I just added the next "4"
      https://www.screencast.com/t/9NnVifYfeo4o

      Searching for "eval" in the files produced exactly the same files in the search results.

      ... I will try your suggestion 2, 3 and what you suggested after your Stage 4, and report back.

      - - - - - - - - - - - - - - - - - - - - - - - -

      Update:
      At present, the spam links seem to have gone, so the Hostgator admins may have removed them.

      I haven't heard from them just yet, but they have told me that they'll contact me when they're finished with their analysis.

      Just out of interest, I counted the active plugins on all my infected sites, and these are the plugins they all used and were active:

      • Always Edit in HTML
      • Duplicator
      • Easy Updates Manager
      • Genesis Simple Hooks

      As for themes, they all used the Genesis Framework with a Genesis Child theme as the active theme. They didn't all use the same child theme.
      {{ DiscussionBoard.errors[11477714].message }}
  • Profile picture of the author cintura468
    WordPress contains lots of spamm
    {{ DiscussionBoard.errors[11477579].message }}
  • I have exactly the same issue
    {{ DiscussionBoard.errors[11477777].message }}
  • Profile picture of the author cearionmarie
    It seems your site has been infected with a virus. There are many things that could cause this, but the most common is via the plugins. We had a similar experience before with our site and using an anti-malware plugin resolved the issue.
    Signature

    Cearion Uy - Marketing Advisor
    www.influencerauditor.com

    {{ DiscussionBoard.errors[11477853].message }}
    • Profile picture of the author Toby A
      Originally Posted by cearionmarie View Post

      It seems your site has been infected with a virus. There are many things that could cause this, but the most common is via the plugins. We had a similar experience before with our site and using an anti-malware plugin resolved the issue.
      Which plugin did you use?
      {{ DiscussionBoard.errors[11477880].message }}
  • Profile picture of the author AlexRendon
    You need "All In One WP Security" and that's all you'll ever need. Seriously!
    Signature

    Free Invite: A/B test and optimize your referral programs, contests, giveaways and even influencer outreach campaigns without developer headaches or spending a dime on ads. Help us test it for free. www.mergebox.io/coming-soon

    {{ DiscussionBoard.errors[11477921].message }}
  • Profile picture of the author Toby A
    Finally heard back from Hostgator. This is what they said:

    https://www.screencast.com/t/fnAmQXHRr

    Thank you for contacting Hostgator. Unfortunately, the biggest reason for your site getting hacked is more than likely due to outdated wordpress and its plugins as seen below:

    - - - - - - [see link] - - - - - -

    Unfortunately, there is no way to 100% be sure that the account is malware free even if you do update all of these sites and plugins. Resetting the account and recreating the site is the safest but it will be time-consuming.
    {{ DiscussionBoard.errors[11478116].message }}
    • Profile picture of the author Arta S
      That's what I would say as a web hosting provider of you were my client. You are on your own here. Follow my instructions and you'll be safe.
      {{ DiscussionBoard.errors[11478123].message }}
      • Profile picture of the author Toby A
        Originally Posted by Arta S View Post

        That's what I would say as a web hosting provider of you were my client. You are on your own here. Follow my instructions and you'll be safe.
        Hi Arta, I have started the process of removing my malware. The trouble is that Sucuri won't let me do it without charging me $299.99 per year.

        That is their Basic package, and... it only covers one site! ... I have lots of websites.
        ... I will have to look for a more affordable solution.
        {{ DiscussionBoard.errors[11478529].message }}
        • Profile picture of the author Toby A
          UPDATE:

          According to WordFence I have just found a new batch of about 1,500 issues with one of my sites, after recently cleaning it.

          I have auto-cleaned it as much as the plugin will enable me. Now I am faced with the prospect of manually fixing the remaining 864 files, by clicking one line at a time.

          If I was managing one big site I'd very likely invest in Wordfence, Sucuri or iThemes paid version.
          - However, as I will be managing lots of mini-sites, the paid plugin option isn't going to be viable (not just yet anyway) ... paying $300 per site, for lets say... 20 sites that don't yet pay, isn't viable.

          I am considering replicating one of my Wordpress mini-sites in a pure HTML / CSS format... just to reduce the chance of being infected with malware.

          1. Does anyone have any experience using modern sites built in pure HTML to generate income?

          2. Could setting up a new hosting account make any difference?
          {{ DiscussionBoard.errors[11480587].message }}
          • Profile picture of the author dburk
            Originally Posted by Toby A View Post

            I have auto-cleaned it as much as the plugin will enable me. Now I am faced with the prospect of manually fixing the remaining 864 files, by clicking one line at a time.
            As I said before, there is no plugin that will automatically fix this particular infection.

            Plugins like Wordfence can help to harden a website and prevent infection, but once infected by this virus it is just way to invasive for a plugin to fix.

            This particular malware infection injects a variety of malicious scripts into many common plugin files, it injects it into your core Wordpress files, it injects itself into hidden directories, it injects malware into your config files, and into your database, it injects malware into your theme directories, including all of the core Wordpress themes.

            Many of those malicious scripts are embedded like a minefield ready to go off whenever you update files, backup files, or simply view pages posts or comments. It even embeds itself into plugins, it embeds itself virtually everywhere and in nooks and crannies you would never think to look for it.

            You really have to go through every line of code of every file on your website, every database record, every theme file, every plugin file and every directory location on your website. No plugin is going to do all that for you. You have to manually do it, or use specialized search and replace tools for your entire website and your entire database.

            It may well be easier to just delete the website and start over from scratch, only you could know that.

            The only quick and easy fix is to restore a backup if you have one. Check with your web host, they may have a backup of your website and might possible restore it for a small fee. Most data centers do this, try giving yours a call.

            HTH,

            Don Burk
            {{ DiscussionBoard.errors[11481546].message }}
            • Profile picture of the author Toby A
              Originally Posted by dburk View Post

              It may well be easier to just delete the website and start over from scratch, only you could know that.
              I think you're right. I think this is the path I will walk down, it'll be the path of least resistance.
              {{ DiscussionBoard.errors[11482139].message }}
        • Profile picture of the author Toby A
          Update:
          While chatting with Hostgator staff they notified me of an email they sent me some time ago. Unfortunately, unlike the other Hostgator emails, it went into my Gmail SPAM folder.

          Their email identified a phishing attack in this location:
          /public_html/xxxxxxxxxx.com/wp-includes/imp/linkedinx/

          Beware of this type of folder appearing on your WP sites, and watch out for warning emails from your host - auto-dropped into your Spam folder, if anything about any of your sites looks even slightly off.
          {{ DiscussionBoard.errors[11491149].message }}
        • Profile picture of the author Toby A
          I have deleted the database and all the Wordpress files for one of my infected sites. I then uploaded a basic HTML version of the site, reducing the site to a small number of very basic files, which is all I needed.

          However, strange files have begun to appear in a folder within the root.

          .well-known/hhlfnzxi.php

          I tried to download the php file but when I tried to open it in a txt editor the OS told me that I didn't have permission. Downloading this file also automatically triggered Sophos (anti-virus) to prompt me to delete it.

          I thought that deleting the site (incl. db) would be enough, but it looks like the problem still lingers. However, these files have not caused the new site to redirect to other sites, as before.

          Could it be that my entire hosting account has been infected? - I did create a brand new password for it.
          {{ DiscussionBoard.errors[11492398].message }}
          • Profile picture of the author dburk
            Originally Posted by Toby A View Post

            I have deleted the database and all the Wordpress files for one of my infected sites. I then uploaded a basic HTML version of the site, reducing the site to a small number of very basic files, which is all I needed.

            However, strange files have begun to appear in a folder within the root.

            .well-known/hhlfnzxi.php

            I tried to download the php file but when I tried to open it in a txt editor the OS told me that I didn't have permission. Downloading this file also automatically triggered Sophos (anti-virus) to prompt me to delete it.

            I thought that deleting the site (incl. db) would be enough, but it looks like the problem still lingers. However, these files have not caused the new site to redirect to other sites, as before.

            Could it be that my entire hosting account has been infected? - I did create a brand new password for it.

            Hi Toby.

            As I stated in an earlier post, this particular virus uses a multi-vector approach. It uses a combination of technologies included hyper-link embeds, html redirects, embedded javascript scripts, and PHP scripts. It infects wordpress configuration files, common plugin files, theme files, css files, utility scripts, and database records. You may have thousands of infectious scripts, spread across hundreds of rarely used files using at least a half dozen or more vectors of infecting methods.

            It's a nasty virus, you cannot take any shortcuts to get rid of it. All files on your hosting environment must be cleaned at the same time or you will risk re-infecting the entire hosting account the spread of the virus is not limited to a single website it effects all websites within the hosting account, it infects common files on your server and can spread to multiple websites hosted on the same account.

            You need to use special tools to scan for and locate all instances of embedded scripts, redirects and infected executables, including the file that contains the initial virus payload. Only by removing all scripts before re-launching your website could you expect it to be cleaned. A partial cleaning is just going to result in a complete re-infection. Half-measures are totally ineffective.

            HTH,

            Don Burk
            {{ DiscussionBoard.errors[11494883].message }}
            • Profile picture of the author Toby A
              Originally Posted by dburk View Post

              Hi Toby.

              As I stated in an earlier post, this particular virus uses a multi-vector approach. It uses a combination of technologies included hyper-link embeds, html redirects, embedded javascript scripts, and PHP scripts. It infects wordpress configuration files, common plugin files, theme files, css files, utility scripts, and database records. You may have thousands of infectious scripts, spread across hundreds of rarely used files using at least a half dozen or more vectors of infecting methods.

              It's a nasty virus, you cannot take any shortcuts to get rid of it. All files on your hosting environment must be cleaned at the same time or you will risk re-infecting the entire hosting account the spread of the virus is not limited to a single website it effects all websites within the hosting account, it infects common files on your server and can spread to multiple websites hosted on the same account.

              You need to use special tools to scan for and locate all instances of embedded scripts, redirects and infected executables, including the file that contains the initial virus payload. Only by removing all scripts before re-launching your website could you expect it to be cleaned. A partial cleaning is just going to result in a complete re-infection. Half-measures are totally ineffective.

              HTH,

              Don Burk
              Thanks. I noticed that when I deleted all the files of a particular site (incl. database), but not deleting the domain.com folder, suspicious php files would appear in the empty root folder, despite my hosting account having a new password.

              Since my last post here I have reuploaded the last saved (and clean) version of the sites onto a new web hosting account, stripped out all unused plugins, and installed the security plugins; Wordfence and Cerber Security.

              I have also removed 'write' permissions to the wp-config.php file of every WP site.

              Are there any other files you think I should make 'read only'?
              {{ DiscussionBoard.errors[11501569].message }}
    • Profile picture of the author MSutton
      Originally Posted by Toby A View Post

      Finally heard back from Hostgator. This is what they said:

      https://www.screencast.com/t/fnAmQXHRr

      Just a word of caution, while what they said may be true, most web hosts always blame everything on wordpress or any other script you have installed so that they don't have to spend too much time on their shared hosting clients. Hostgator is notorious for this as well as pretty much any other host owned by EIG. but honestly, they are all like that with their shared clients. There's little money in shared hosting, unlike VPS, Managed WP and Dedicated hosting.



      Always take what they say with a grain of salt. They'll always blame you because the last thing they're gonna say is "ooops, yeah, sorry about that, the server your on was hacked. Our fault." lol.



      But if your WP install and plugins are out of date, then you really have to start taking more control over your site.
      {{ DiscussionBoard.errors[11483363].message }}
  • Profile picture of the author calvinmd1
    i don't know how to fix your problem but may help is installing a FACEBOOK plugin "WpDevArt Facebook comments" for your comments. everyone that post a comment on your site will have sign in with their facebook profile and most spammers like to stay anonymous. This will Limit the number of spammer on your site.
    {{ DiscussionBoard.errors[11478406].message }}
  • Profile picture of the author GDIIT
    Hello!

    There is a plugin called Askimet Anti-Spam and its free. It has a database of spam which is updated constantly, and so it is very effective in filtering out comments that are spammy.

    Another thing you can do is to enable comment moderation by going to Settings >> Discussion, and check the "Comment must be manually approved" option.

    The last thing I can suggest is to move to a new comment system such as Disqus. Disqus only allows comments from users who are logged in and they also moderate users that shows spammy activities.

    Hope this helps.
    {{ DiscussionBoard.errors[11478505].message }}
    • Profile picture of the author Toby A
      Originally Posted by GDIIT View Post

      Hello!

      There is a plugin called Askimet Anti-Spam and its free. It has a database of spam which is updated constantly, and so it is very effective in filtering out comments that are spammy.

      Another thing you can do is to enable comment moderation by going to Settings >> Discussion, and check the "Comment must be manually approved" option.

      The last thing I can suggest is to move to a new comment system such as Disqus. Disqus only allows comments from users who are logged in and they also moderate users that shows spammy activities.

      Hope this helps.
      I'm not using comments
      {{ DiscussionBoard.errors[11478539].message }}
  • Profile picture of the author dburk
    Hi Toby,

    I had to clean up several websites for a client that was recently infected with the same virus. There is no plugin that will fix it. You have a few basic choices:
    1. Manual Track down and remove/replace/repair:
    • Locate & remove the original infected file with executable payload.
    • Repair altered directory security permissions set to the unsafe 777.
    • Remove all infected plugins
    • Remove virus injected code snippets from all pages and posts stored within your database.
    • Download, install, and activate a safe temporary Wordpress theme (Twenty Eighteen)
    • Re-install Wordpress core files through admin panel
    • Re-install & reconfigure your previous Wordpress Theme.

    2. Restore a previous backup of your website prior to infection (if available).

    Or

    3. Remove entire website and re-build from scratch.

    The easiest option is number 2 but only available if you have an untainted backup available.

    Option number 1 can be done if you know how to manage directory permissions, and know how to identify malicious code and remove from files and databases using find & replace techniques. If you miss anything infected file, code snippet, or database entry you website will still be compromised.

    Short of those to options the only same way to remove this particular virus is to wipe all website files and rebuild from scratch. You need to figure out which options are within your purview and decide from there. You can always hire someone to remove the infection, though it may be an expensive undertaking.

    HTH,

    Don Burk
    {{ DiscussionBoard.errors[11478601].message }}
    • Profile picture of the author Toby A
      Originally Posted by dburk View Post

      Hi Toby,

      I had to clean up several websites for a client that was recently infected with the same virus. There is no plugin that will fix it. You have a few basic choices:
      1. Manual Track down and remove/replace/repair:
      • Locate & remove the original infected file with executable payload.
      • Repair altered directory security permissions set to the unsafe 777.
      • Remove all infected plugins
      • Remove virus injected code snippets from all pages and posts stored within your database.
      • Download, install, and activate a safe temporary Wordpress theme (Twenty Eighteen)
      • Re-install Wordpress core files through admin panel
      • Re-install & reconfigure your previous Wordpress Theme.

      2. Restore a previous backup of your website prior to infection (if available).

      Or

      3. Remove entire website and re-build from scratch.

      The easiest option is number 2 but only available if you have an untainted backup available.

      Option number 1 can be done if you know how to manage directory permissions, and know how to identify malicious code and remove from files and databases using find & replace techniques. If you miss anything infected file, code snippet, or database entry you website will still be compromised.

      Short of those to options the only same way to remove this particular virus is to wipe all website files and rebuild from scratch. You need to figure out which options are within your purview and decide from there. You can always hire someone to remove the infection, though it may be an expensive undertaking.

      HTH,

      Don Burk
      Thanks for guidance. After looking at and installing the free versions of iThemes Security and Sucuri, I have actually started to use the free version of Wordfence.

      It seems to be able to remove existing malware. I have tried it and (so far) it looks like it has removed the malware. This process involved 'fixing' suspicious code in some files, 'deleting' other files, and 'updating' plugins and some themes to the latest version.
      ... It also identified some files in plugins that were different to the original versions, and showed a side-by-side comparison of how the contents of the file had been changed... it fixed this.

      I performed a Force-reload of the web pages of my infected sites and they don't seem to redirect to the spammy URLs. Relief !!!!

      _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

      File permissions - good point!
      Arta has already mentioned this and I have since changed the file permissions of wp-config.php to 444 / Read only.

      See page 1 of of this thread > Post 22.

      _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

      Your 'option 2' makes sense, but alas my old versions of some of my sites are less developed than the new versions. I know, my fault for not performing regular backups / downloads.

      I will keep working on this, and will keep you updated on this thread. Thanks again.
      {{ DiscussionBoard.errors[11479211].message }}
  • Profile picture of the author jennytrump
    TAC is a plugin that will scan your theme's files to look for any malicious code. Sucuri has a WordPress plugin in both a free and premium version. It does a good job of checking all your core files to help identify any potential malicious code. If you're running a business that relies on your site.

    I hope this will help you..
    {{ DiscussionBoard.errors[11478761].message }}
  • Profile picture of the author davidlee210
    use can remove all the spam backlinks using disavow techniques.
    {{ DiscussionBoard.errors[11479167].message }}
    • Profile picture of the author Toby A
      Originally Posted by davidlee210 View Post

      use can remove all the spam backlinks using disavow techniques.
      Backlinks aren't the problem with my sites, it's the outgoing links created by the hacker/malware that I have been trying to remove.
      {{ DiscussionBoard.errors[11479513].message }}
  • Profile picture of the author JeanHuff
    This is only because you utilize.
    {{ DiscussionBoard.errors[11481906].message }}
  • Profile picture of the author kuchenchef
    according to the screenshot the code is in the post table, made by user id 1. am no expert, but looks like there is either a malicious plugin or code snippet in the theme or the admin login is compromised. clean the hosting account, change all passwords to ubersecure also on your hosting account, ftp and ssh, if possible add 2fa, check the log files to see who is accessing what and act on that, start with a fresh installation and secure it properly.
    {{ DiscussionBoard.errors[11482334].message }}
  • Profile picture of the author dozerin
    I will read through the links and report back.
    {{ DiscussionBoard.errors[11482866].message }}
  • Profile picture of the author raghav bansal
    [DELETED]
    {{ DiscussionBoard.errors[11482985].message }}
    • Profile picture of the author Toby A
      Originally Posted by raghav bansal View Post

      Go to this blog by Neil Patel https://neilpatel.com/blog/control-blog-comment-spam/
      you may find it useful.
      Thanks. My problem doesn't seem to be caused by blog comments because I only have them on one of my affected sites, and I haven't received a blog comment since longer before this problem started.

      The problem is inside the sites, links pointing out to other sites.

      ... However, if I feel I may have a problem with blog comments in the future I will certainly read it.
      {{ DiscussionBoard.errors[11483097].message }}
  • Profile picture of the author cintura468
    hmmm, it is a controversial question
    {{ DiscussionBoard.errors[11483060].message }}
  • Profile picture of the author MSutton
    If you run wordpress sites, you ABSOLUTELY need to use a security plugin and update all your plugins, themes and wordress itself FREQUENTLY. Wordpress sites are heavily targeted by spammers and hackers because it is the most widely used CMS. I learned this the hard way and I will never use wordpress without a security plugin ever again. It's the first plugin I install on any new install.



    I recommend WP Cerber Security Plugin because it offers a lot more than WordFence and is highly rated. One thing I like is that it allows you to easily insert reCAPTCHA on all your forms (login, forgotten password, comments, etc).



    When you install a security plugin (any of them) and view the live traffic, you will be amazed at how many bots are trying to access and login to your admin area and accessing other WP files. Sometimes you can even see that some bots are fishing for certain plugins or themes that are known to have security holes. It's a real eye opener. The internet is basically a bot and hacker highway. If you don't have security on your site, you're asking for problems.


    Never install a plugin or a theme that isn't frequently updated. Look at the changelog before you install. If it hasn't been update for a year or longer, forget it. The developer isn't active enough and you risk security problems, not to mention it may eventually break your site as wordpress gets updated.


    On the other hand, if you are using nulled (pirated) themes and plugins, well, you're on your own.
    {{ DiscussionBoard.errors[11483146].message }}
    • Profile picture of the author Toby A
      Originally Posted by MSutton View Post

      If you run wordpress sites, you ABSOLUTELY need to use a security plugin and update all your plugins, themes and wordress itself FREQUENTLY. Wordpress sites are heavily targeted by spammers and hackers because it is the most widely used CMS. I learned this the hard way and I will never use wordpress without a security plugin ever again. It's the first plugin I install on any new install.



      I recommend WP Cerber Security Plugin because it offers a lot more than WordFence and is highly rated. One thing I like is that it allows you to easily insert reCAPTCHA on all your forms (login, forgotten password, comments, etc).



      When you install a security plugin (any of them) and view the live traffic, you will be amazed at how many bots are trying to access and login to your admin area and accessing other WP files. Sometimes you can even see that some bots are fishing for certain plugins or themes that are known to have security holes. It's a real eye opener. The internet is basically a bot and hacker highway. If you don't have security on your site, you're asking for problems.


      Never install a plugin or a theme that isn't frequently updated. Look at the changelog before you install. If it hasn't been update for a year or longer, forget it. The developer isn't active enough and you risk security problems, not to mention it may eventually break your site as wordpress gets updated.


      On the other hand, if you are using nulled (pirated) themes and plugins, well, you're on your own.
      Thanks, I will check out Cerber Security. It sounds good.

      Q. If I took the precautions you describe, do you think it's still necessary to use SSL on every domain to prevent malware?

      Q. Have you used other plugins, like Sucuri and iThemes Security? - and if so, what do you think of them?
      {{ DiscussionBoard.errors[11483800].message }}
      • Profile picture of the author MSutton
        I have never used any security plugins but Cerber and Wordfence.

        SSL doesn't prevent your site from being hacked, it encrypts data.



        But you need SSL on any domain you want google to index because Google is frowns upon sites that do not have SSL and in the somewhat near future it will probably not even list your site if it is non-ssl.


        SSL is free through Let's Encrypt and most reputable web hosts offer 1-click Let's Encrypt installations. If yours doesn't, then get a new host.

        You could still install Let's Encrypt SSL on your site if your host does not have 1-click installations, but it can be a pain and you have to renew it every 2 months, which is inconvenient. When you use a host that offers 1-click installs of Let's encrypt, it renews automatically.
        {{ DiscussionBoard.errors[11483885].message }}
        • Profile picture of the author Toby A
          Originally Posted by MSutton View Post

          SSL is free through Let's Encrypt and most reputable web hosts offer 1-click Let's Encrypt installations. If yours doesn't, then get a new host.
          Thanks MSutton. Let's Encrypt sounds ideal. Assuming your webhost has this 1-click install feature, what host do you use?

          I notice Dreamhost seems to have "Let's Encrypt" as standard. I think I will have to switch web hosts.
          {{ DiscussionBoard.errors[11483950].message }}
  • Profile picture of the author jenymartin
    Mostly WordPress websites are being hacked due to Null themes and outdated plugins, that is what you need to make sure if any of such issue is there, keep updating all the installed plugin and themes as well. once you have done this you are almost secure with your wordpress website.

    also note that once hacker is in your website he will leave lots of place with their shell script of other tools to get again even you have updated all the above. so try to find any non relevant folders and files in the file manager and remove it.

    Hope that answer your questions and concerns .
    {{ DiscussionBoard.errors[11483325].message }}
  • Profile picture of the author Populizr
    1. Install Disqus commenting system that replaces the standard WP spam-able commenting system.
    2. Spam links are easily managed in the Comments from the dashboard from where you can delete them in bulk.
    {{ DiscussionBoard.errors[11484862].message }}
  • Profile picture of the author Stephannie Baker
    I have experienced links being added to my answer in forums but not on my blog. This is really infuriating though. But I am glad that you found a way to remove it. Now I know how to do it if links get added to my blog, too. Thanks!
    {{ DiscussionBoard.errors[11485240].message }}
  • Profile picture of the author Delario
    Use Anti Spam Bee plugin (no cost) to avoid spammy comments in your WordPress blog.
    Signature

    Live as if you'll die today.

    {{ DiscussionBoard.errors[11488385].message }}
  • Profile picture of the author Cezar Renta
    I had the same problem in the past, it was due mainly to bad file permissions. Depending on your Apache and PHP configuration, you the owner of the files should be only the account for that specific blog.

    I also recommend installing Wordfence, it does a pretty good job in securing your blog. The free version is not updated daily but still, it adds a strong layer of protection.
    {{ DiscussionBoard.errors[11489236].message }}
  • Use the anti-spam WordPress plugins such as:
    -Akismet
    -Anti-Spam by CleanTalk--No Captcha, No Comments & Registrations Spam
    -WangGuard
    -Anti-Spam Bee
    -WordPress Zero Spam
    -Growmap Anti Spambot Plugin
    -WPBruiser {No Captcha Anti-Spam}
    -Stop Spammers Spam Prevention

    I wish you good luck!
    {{ DiscussionBoard.errors[11490605].message }}
  • Profile picture of the author bbappybabs
    1. You must secure your site. first of all don't install any plugin and theme that is not reputed or trusted. Some time hackers put a hidden shel to your site and sometime they put some harmful code that stills your vital server information. So before you install anything to your site make sure it is clean or only install reputed plugins or themes.
    2. Make regular backup of your database and the uploads folder so if any major damage happens you can recover it quickly.
    3. As other mentions change your file permitions as they mensioned.
    4. Protect your admin area by adding password protection to wp-admin folder in cpanel.
    5. use popular anti spamming plugins for blocking spam comments.
    6. Finally read this article https://codex.wordpress.org/Hardening_WordPress to increase the security of your site.
    {{ DiscussionBoard.errors[11491377].message }}
  • Profile picture of the author salmansaleem920
    i think one of your plugin was affected with bad script which cause your site to behave abnormal
    {{ DiscussionBoard.errors[11491419].message }}
  • Profile picture of the author carolyn653
    Try to change the database. And also try to remove javascript.
    {{ DiscussionBoard.errors[11491718].message }}
  • Profile picture of the author t1tutorials
    I'm using Akismet for wordpress and it's working good
    {{ DiscussionBoard.errors[11491908].message }}
  • Profile picture of the author Derk Nennis
    I think you are using nulled theme. There are many wordpress theme validation plugins available that you can try to check errors of your theme.
    {{ DiscussionBoard.errors[11492069].message }}
  • Profile picture of the author Hari Mohan Sharma
    Hi, Toby.
    You need to harden your website security. To know how to do it, you may visit the WP Beginner website. You will find a lot of useful tips for any issues that beginners face.
    {{ DiscussionBoard.errors[11493434].message }}
  • Profile picture of the author nRehman
    Why not reinstall your wordpress site while adding necessary but reliable plugins; some times these kinds of injected scripts reappear after some time.
    {{ DiscussionBoard.errors[11497693].message }}
Avatar of Unregistered

Trending Topics