- This topic has 16 replies, 4 voices, and was last updated 2 years, 2 months ago by Hans.
June 21, 2018 at 1:56 pm #605604Michael
Please see code snippet below. I have no idea where it’s coming from, but it’s being injected into my pages. Elementor claims it’s not theirs. Does this look at all familiar? Is it part of GeneratePress? When the page is refreshed, a pattern of boxes with the character X inside appears. Sometimes just one, sometimes multiple boxes (because the code is repeated multiple times). It’s always the same code, does not change from page to page; very distracting and serves no purpose that I can see. Here’s an example, refresh the page to see what’s happening. It’s not just this page by the way, and doesn’t seem to have anything to do with a form being present. https://doctorpenner.com/contact/<span class=”ir-ext-rendered” title=”Rendered image dimensions (after any scaling/resizing has been applied)”> x </span> <span class=”ir-ext-natural” title=”Natural image dimensions (without applying any scaling/resizing)”> (x) </span>GeneratePress 2.1.2GP Premium 1.6.2June 21, 2018 at 3:18 pm #605644LeoStaffCustomer Support
Doesn’t look like it’s from GP.
Let me know 🙂June 21, 2018 at 8:59 pm #605733Michael
No luck so far with the debugging tips. The WordPress debug function shows no errors.
Here’s the pattern of x‘s left in the code.
We can cherish the time we have<br />By respecting our physical body.</p> x (x) x (x) x (x) x (x) x (x) x (x) x (x) x (x) x (x)
Dr. Penner and Angela are the best team. Dr. Penner is always very cordial and always has great advice. These women are fantastic and make for great chiropractic care.June 21, 2018 at 9:54 pm #605751TomLead DeveloperLead Developer
Did you try deactivating your plugins one by one to see if it’s coming from one of them?
If it’s not, your site could be hacked. If you look up “WordPress clean hacked site” you should find tons of tips and tricks to clean it up.
Alternatively, a lot of hosts will handle it for you if you ask them, as a hacked shared server can put other sites on the server at risk.June 21, 2018 at 10:30 pm #605765Michael
This site WAS a hacked some weeks ago, but re-built using GeneratePress + Elementor + a new installation of WP, and is now hosted on a new server as well. However, the old database was imported. I thought it was clean, but sounds like that should be double-checked.
Meanwhile, I turned off ALL plugins, including the plugin that is handling CSS, and reverted to the Twenty Seventeen theme. The problem disappeared. I activated Elementor and it’s back!
I don’t actually see the code embedded in the page, but the page definitely flashes multiple boxes with the X character when Elementor is activated. I also tested it the other way: Deactive Elementor, and activate everything else, including GeneratePress. No issues.
So, it seems to be Elementor. Or Elementor conflicting with something in the database. Confusing because I don’t see Elementor doing this on my other sites.
Is it possible that the database has been hacked / corrupted in some way that is only apparent when Elementor is activated? Wow, I not know how to solve that one.
Unfortunately, Elementor is denying there’s any issue on their end so far.June 22, 2018 at 9:03 am #606178TomLead DeveloperLead Developer
I would report that to Elementor then for sure, as that definitely sounds like it’s coming from the plugin itself.
It’s rare that hacks happen within the database. There’s usually nasty code inside wp-config.php, .htaccess or other files.June 22, 2018 at 12:30 pm #606334Michael
Thanks Tom, good to know that the database is likely OK. I’m following up with Elementor now. So far, they say the injected code does not have their signature.
I scanned the site with WordFence – clean. The Securi plugin indicates the site is clean in terms of malicious JS, iFrames, redirects, SEO spam, and other “anomalies”, but also says Core WordPress Files Were Modified.
Can you point me in the best general direction to fix these modified files? Re-install WP? Seems like there’s some files that don’t exist in WP all all.June 22, 2018 at 12:39 pm #606347LeoStaffCustomer SupportJune 22, 2018 at 12:51 pm #606352Michael
Thanks Leo, but how does reinstalling WP address any extra bad files that might have been created, that are not part of WP?June 22, 2018 at 12:58 pm #606355LeoStaffCustomer SupportJune 22, 2018 at 2:02 pm #606386Michael
Fresh news from Liquid Web hosting. They ran their internal checks and didn’t find any file issues. They think it’s the database.
Unfortunately it doesn’t seem that the issue is from infected content on the filesystem, but as you mentioned before a compromised database. We don’t have any specific tools for searching for infected database content, and you may want to consult with a developer or security specialist.
Please feel free to let me know if you have any additional questions or concerns.
Linux Systems Administrator RHCSAJune 22, 2018 at 8:09 pm #606478TomLead DeveloperLead Developer
Unfortunately I’m not a database expert. However, if that text is within the database, you should be able to find it by searching through post/page content. Since it disappears when Elementor is disabled, I would start by looking through the Elementor content fields.June 25, 2018 at 2:08 pm #608361Michael
Hi Tom, I searched the database, no trace of the offending code, which suggests it’s coming from a file, I *think*.
Next step is to try a fresh install of WP, then delete (rather than deactivate) all plugins, then delete and reinstall the theme. Hoping that uncovers something.
This exact issue is now cropping up on another site on my server, which uses a similar setup.June 25, 2018 at 7:47 pm #608525TomLead DeveloperLead Developer
Be sure to check files like wp-config.php and .htaccess for suspect looking code.
Also let Liquid Web know, as you’ve confirmed it’s not coming from the database.June 25, 2018 at 11:48 pm #608596Michael
Hi Tom, I *think* the issue is resolved. I ended up deleting all the plugins, installing a fresh copy of WP, then re-installed the plugins, carefully checking as I went. I also re-ran the Sucuri check, and manually looked at the config and htaccess files, nothing unusual there. So far, the pattern has not returned. So I’m thinking some plugin did not install properly, and that simply deactivating was not enough. Not sure about that though, will likely never know. I’m marking this issue as resolved for now. Thanks!
- You must be logged in to reply to this topic.