[Resolved] Mystery HTML Injected Into Pages. Elementor / GeneratePress problem?

Home Forums Support [Resolved] Mystery HTML Injected Into Pages. Elementor / GeneratePress problem?

Home Forums Support Mystery HTML Injected Into Pages. Elementor / GeneratePress problem?

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #605604
    Michael

    Please see code snippet below. I have no idea where it’s coming from, but it’s being injected into my pages. Elementor claims it’s not theirs. Does this look at all familiar? Is it part of GeneratePress? When the page is refreshed, a pattern of boxes with the character X inside appears. Sometimes just one, sometimes multiple boxes (because the code is repeated multiple times). It’s always the same code, does not change from page to page; very distracting and serves no purpose that I can see. Here’s an example, refresh the page to see what’s happening. It’s not just this page by the way, and doesn’t seem to have anything to do with a form being present. https://doctorpenner.com/contact/

    <span class=”ir-ext-rendered” title=”Rendered image dimensions (after any scaling/resizing has been applied)”> x </span> <span class=”ir-ext-natural” title=”Natural image dimensions (without applying any scaling/resizing)”> (x) </span>
    #605644
    Leo
    Staff
    Customer Support

    Hi there,

    Doesn’t look like it’s from GP.

    Try #1 here:
    https://docs.generatepress.com/article/debugging-tips/

    Let me know ๐Ÿ™‚

    #605733
    Michael

    No luck so far with the debugging tips. The WordPress debug function shows no errors.

    Here’s the pattern of x‘s left in the code.

    We can cherish the time we have<br />By respecting our physical body.</p> x (x) x (x) x (x) x (x) x (x) x (x) x (x) x (x) x (x)
    Dr. Penner and Angela are the best team. Dr. Penner is always very cordial and always has great advice. These women are fantastic and make for great chiropractic care.

    #605751
    Tom
    Lead Developer
    Lead Developer

    Did you try deactivating your plugins one by one to see if it’s coming from one of them?

    If it’s not, your site could be hacked. If you look up “WordPress clean hacked site” you should find tons of tips and tricks to clean it up.

    Alternatively, a lot of hosts will handle it for you if you ask them, as a hacked shared server can put other sites on the server at risk.

    #605765
    Michael

    Thanks Tom,

    This site WAS a hacked some weeks ago, but re-built using GeneratePress + Elementor + a new installation of WP, and is now hosted on a new server as well. However, the old database was imported. I thought it was clean, but sounds like that should be double-checked.

    Meanwhile, I turned off ALL plugins, including the plugin that is handling CSS, and reverted to the Twenty Seventeen theme. The problem disappeared. I activated Elementor and it’s back!

    I don’t actually see the code embedded in the page, but the page definitely flashes multiple boxes with the X character when Elementor is activated. I also tested it the other way: Deactive Elementor, and activate everything else, including GeneratePress. No issues.

    So, it seems to be Elementor. Or Elementor conflicting with something in the database. Confusing because I don’t see Elementor doing this on my other sites.

    Is it possible that the database has been hacked / corrupted in some way that is only apparent when Elementor is activated? Wow, I not know how to solve that one.

    Unfortunately, Elementor is denying there’s any issue on their end so far.

    #606178
    Tom
    Lead Developer
    Lead Developer

    I would report that to Elementor then for sure, as that definitely sounds like it’s coming from the plugin itself.

    It’s rare that hacks happen within the database. There’s usually nasty code inside wp-config.php, .htaccess or other files.

    #606334
    Michael

    Thanks Tom, good to know that the database is likely OK. I’m following up with Elementor now. So far, they say the injected code does not have their signature.

    I scanned the site with WordFence – clean. The Securi plugin indicates the site is clean in terms of malicious JS, iFrames, redirects, SEO spam, and other “anomalies”, but also says Core WordPress Files Were Modified.

    Can you point me in the best general direction to fix these modified files? Re-install WP? Seems like there’s some files that don’t exist in WP all all.

    #606347
    Leo
    Staff
    Customer Support

    Re-install WordPress is probably your best bet ๐Ÿ™‚

    You can also check with WordPress’ support as well:
    https://wordpress.org/support/

    They might have encountered this issue before already.

    #606352
    Michael

    Thanks Leo, but how does reinstalling WP address any extra bad files that might have been created, that are not part of WP?

    #606355
    Leo
    Staff
    Customer Support

    Are the bad files inside the WP folder? If so the entire folder should be replaced with new installation.

    Might not be a bad idea to check with WordPress support.

    #606386
    Michael

    Fresh news from Liquid Web hosting. They ran their internal checks and didn’t find any file issues. They think it’s the database.

    Unfortunately it doesn’t seem that the issue is from infected content on the filesystem, but as you mentioned before a compromised database. We don’t have any specific tools for searching for infected database content, and you may want to consult with a developer or security specialist.

    Please feel free to let me know if you have any additional questions or concerns.

    Thank you,
    Nichole Kernreicht
    Linux Systems Administrator RHCSA

    #606478
    Tom
    Lead Developer
    Lead Developer

    Unfortunately I’m not a database expert. However, if that text is within the database, you should be able to find it by searching through post/page content. Since it disappears when Elementor is disabled, I would start by looking through the Elementor content fields.

    #608361
    Michael

    Hi Tom, I searched the database, no trace of the offending code, which suggests it’s coming from a file, I *think*.

    Next step is to try a fresh install of WP, then delete (rather than deactivate) all plugins, then delete and reinstall the theme. Hoping that uncovers something.

    This exact issue is now cropping up on another site on my server, which uses a similar setup.

    #608525
    Tom
    Lead Developer
    Lead Developer

    Be sure to check files like wp-config.php and .htaccess for suspect looking code.

    Also let Liquid Web know, as you’ve confirmed it’s not coming from the database.

    #608596
    Michael

    Hi Tom, I *think* the issue is resolved. I ended up deleting all the plugins, installing a fresh copy of WP, then re-installed the plugins, carefully checking as I went. I also re-ran the Sucuri check, and manually looked at the config and htaccess files, nothing unusual there. So far, the pattern has not returned. So I’m thinking some plugin did not install properly, and that simply deactivating was not enough. Not sure about that though, will likely never know. I’m marking this issue as resolved for now. Thanks!

Viewing 15 posts - 1 through 15 (of 17 total)
  • You must be logged in to reply to this topic.