[Resolved] nav-menu.php Vulnerability check

Home Forums Support [Resolved] nav-menu.php Vulnerability check

Home Forums Support nav-menu.php Vulnerability check

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
  • #99317
    Ben Tupper

    Hi Tom,

    I’ve recently had my server hacked with a nasty redirect malware. I’m working on this with my server team at the hosting company and they have scanned and removed a lot of files that were creating problems. I can provide more info as needed from support ticket details with them.

    So far everything they have removed seems to be keeping the nasty redirects at bay, but one thing remains. All the sites I’m running generate press on are displaying the same type error from the nav-menu.php file. Here’s what’s displaying when trying to click on any link from some of these WP sites on my server:

    Warning: chmod() [function.chmod]: Operation not permitted in /home/teamtup/public_html/dance/wp-includes/nav-menu.php on line 502

    Warning: file_put_contents(/home/teamtup/public_html/dance/wp-includes/../.htaccess) [function.file-put-contents]: failed to open stream: Permission denied in /home/teamtup/public_html/dance/wp-includes/nav-menu.php on line 503

    Warning: chmod() [function.chmod]: Operation not permitted in /home/teamtup/public_html/dance/wp-includes/nav-menu.php on line 504

    Warning: touch() [function.touch]: Utime failed: Operation not permitted in /home/teamtup/public_html/dance/wp-includes/nav-menu.php on line 508

    The one thing they have in common is that they all are running the GeneratePress theme. The server team said there could be a vulnerability in the nav-menu.php file and that if you are willing to take a look, if it’s something in the code that could be patched that could fix the problem.

    By the way, the problem ultimately is that the htaccess file is being overwritten on the fly to create the redirects. The server team set up a new htaccess file and made it unchangeable on the server and then we started getting the error message to display which we believe are helping us zero in the source of the problem.

    Please let me know what you think and what other information I can provide if you are willing/able to look into this some more.

    Thanks! LOVE GeneratePress!!!


    Lead Developer
    Lead Developer

    Hi Ben,

    Yikes, hate those stupid automated hackers.

    The nav-menu.php file is actually a core WordPress file.

    GeneratePress displays the navigation using the core WordPress function wp_nav_menu() as it should. We’re not doing anything special or custom when it comes to the navigation/nav-menu.php file – no walkers or anything – so I doubt the issue is coming from the theme itself.

    You may want to look at the plugins you have installed, and make sure everything is up to date.

    In my experience, websites getting hacked usually come down to the hosting security itself. For example, GoDaddy shared hosting frequently gets hacked (or it did, not sure about anymore).

    If you find anything out that relates to GP, definitely let me know.

    Hope you get it all sorted out – I’m here if you have any questions or concerns 🙂

    Ben Tupper

    Great info! Thanks for the super speedy reply!! Will keep working with the server team to resolve. I think we are close. Great to know it’s nothing in GP. I figured not – you’re too good!!!

    Thanks Tom!

    Lead Developer
    Lead Developer

    No problem – security is important!

    If you need any more info just let me know 🙂

    Ben Tupper

    We solved it by reuploading core WP files. Now it’s wait and see to find out if the whack-a-mole problem will start again or if it’s been contained. But again, thanks for the heads up and the quick replies. I really appreciate it.

    Lead Developer
    Lead Developer

    Glad you got it sorted 🙂

    Michael Vickers

    I too am getting this really annoying hack. Seems to rewrite the .htaccess permissions to 444.

    Ive done the usual update all plugins etc but still get hacked a few weeks after reinstalling the wordpress installation.

    Anyone got to the root cause of this?

    Lead Developer
    Lead Developer

    It’s most likely your hosting – certain shared hosts get hacked more than others.

    It could also be a vulnerability in one of your plugins.


    Hi guys, while I am not qualified by any means to say where the problem lies, I had a site running great with Generate Press…until bought and uploaded the GP Premium Add-Ons pack on Friday 16 October. On 18 October the site became unusable due to this kind of redirect and crash.

    After trying to get the Hostgator to deal with it…they wouldn’t, because they don’t dirty their hands with malware, and after spending two days removing plugins, directives, add-on domains…you name it. I was still left with the problem.

    Finally, one hour ago I activated the 2012 theme in place of Generate Press, and there is no sign of the problem. I completely uninstalled GP and all its files from the domain, and so far all looks ok…although I am still seeing attempted logins from Russian IP addresses reported in Sucuri.

    So, I will wait overnight to see if SiteLock and/or Sucuri report any more issues, and we will chat again. But at this time, it looks like the GP upgrade was the guilty party…unless you can shed any different light on things. Any help, advice and guidance will be gratefully recieved.

    Regards, Peter

    Lead Developer
    Lead Developer

    Hi Peter,

    That’s very odd – no one else has reported anything like this.

    Did you get any specific errors when the site crashed?

    Can you try completely deleting your GP Premium plugin, and downloading a fresh copy from your account?: https://generatepress.com/account

    If your hosting has been hacked, be sure to do a full scan and remove any malware you find.

    Also change all passwords (cPanel, WordPress, FTP) and make sure you’r using the latest versions of all of your plugins and themes.

    Also, make sure all of your plugins have been updated recently – old plugins no longer supported can have security holes in them.

    Let me know what you find out.


    they wouldn’t, because they don’t dirty their hands with malware

    Exactly why I don’t trust a shared hosting provider to provide the security to protect my sites. Some hosts are probably better than others but I believe that security is the site owner’s responsibility. There are dozens of tutorials and tools available to address WP security. I’m not an expert but my guess would be that changing themes didn’t solve the problem. It may have disrupted the initial attack but, unless the root cause is identified and addressed, I think you’ll most likely see it again. There are other points of entry, some of which Tom mentioned above, that I’d be looking at before I’d suspect the GP theme or the Premium plugin.

    Lead Developer
    Lead Developer

    SiteGround has awesome security for a shared hosting provider, but most are definitely sub par.


    My sites just got hacked in SiteGround with the same hack. Whateve Siteground says about their advanced security is simply false advertisement. They couldn’t stop it on the perimeter with all their ‘advertised intrusion detection systems and ModSecurty rules’ and their official response in support was ‘it is your problem’.
    So I wouldn’t go s far as saying that their security is excellent. It is as bad as any other hosting out there, they just make a lot of false promises.


    To the best of my knowledge the only host that officialy integrated with Sucuri and includes it in the price s WP Engine. The best hosting in the world, but too expensive for reselers.

    Lead Developer
    Lead Developer

    I’ve had some issues with Siteground lately as well with a few hobby sites.

    Unfortunately, no shared hosting is going to be 100% secure.

Viewing 15 posts - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.