- This topic has 14 replies, 5 voices, and was last updated 4 years, 5 months ago by Tom.
April 16, 2015 at 5:37 pm #99317Ben Tupper
I’ve recently had my server hacked with a nasty redirect malware. I’m working on this with my server team at the hosting company and they have scanned and removed a lot of files that were creating problems. I can provide more info as needed from support ticket details with them.
So far everything they have removed seems to be keeping the nasty redirects at bay, but one thing remains. All the sites I’m running generate press on are displaying the same type error from the nav-menu.php file. Here’s what’s displaying when trying to click on any link from some of these WP sites on my server:
Warning: chmod() [function.chmod]: Operation not permitted in /home/teamtup/public_html/dance/wp-includes/nav-menu.php on line 502
Warning: file_put_contents(/home/teamtup/public_html/dance/wp-includes/../.htaccess) [function.file-put-contents]: failed to open stream: Permission denied in /home/teamtup/public_html/dance/wp-includes/nav-menu.php on line 503
Warning: chmod() [function.chmod]: Operation not permitted in /home/teamtup/public_html/dance/wp-includes/nav-menu.php on line 504
Warning: touch() [function.touch]: Utime failed: Operation not permitted in /home/teamtup/public_html/dance/wp-includes/nav-menu.php on line 508
The one thing they have in common is that they all are running the GeneratePress theme. The server team said there could be a vulnerability in the nav-menu.php file and that if you are willing to take a look, if it’s something in the code that could be patched that could fix the problem.
By the way, the problem ultimately is that the htaccess file is being overwritten on the fly to create the redirects. The server team set up a new htaccess file and made it unchangeable on the server and then we started getting the error message to display which we believe are helping us zero in the source of the problem.
Please let me know what you think and what other information I can provide if you are willing/able to look into this some more.
Thanks! LOVE GeneratePress!!!
-BenApril 16, 2015 at 5:49 pm #99320TomLead DeveloperLead Developer
Yikes, hate those stupid automated hackers.
The nav-menu.php file is actually a core WordPress file.
GeneratePress displays the navigation using the core WordPress function wp_nav_menu() as it should. We’re not doing anything special or custom when it comes to the navigation/nav-menu.php file – no walkers or anything – so I doubt the issue is coming from the theme itself.
You may want to look at the plugins you have installed, and make sure everything is up to date.
In my experience, websites getting hacked usually come down to the hosting security itself. For example, GoDaddy shared hosting frequently gets hacked (or it did, not sure about anymore).
If you find anything out that relates to GP, definitely let me know.
Hope you get it all sorted out – I’m here if you have any questions or concerns 🙂April 16, 2015 at 5:51 pm #99321Ben Tupper
Great info! Thanks for the super speedy reply!! Will keep working with the server team to resolve. I think we are close. Great to know it’s nothing in GP. I figured not – you’re too good!!!
Thanks Tom!April 16, 2015 at 5:53 pm #99322TomLead DeveloperLead DeveloperApril 16, 2015 at 7:31 pm #99344Ben Tupper
We solved it by reuploading core WP files. Now it’s wait and see to find out if the whack-a-mole problem will start again or if it’s been contained. But again, thanks for the heads up and the quick replies. I really appreciate it.April 16, 2015 at 10:49 pm #99353TomLead DeveloperLead DeveloperJuly 14, 2015 at 1:02 pm #121047Michael Vickers
I too am getting this really annoying hack. Seems to rewrite the .htaccess permissions to 444.
Ive done the usual update all plugins etc but still get hacked a few weeks after reinstalling the wordpress installation.
Anyone got to the root cause of this?July 14, 2015 at 1:03 pm #121048TomLead DeveloperLead Developer
It’s most likely your hosting – certain shared hosts get hacked more than others.
It could also be a vulnerability in one of your plugins.October 22, 2015 at 11:22 am #146566Peter
Hi guys, while I am not qualified by any means to say where the problem lies, I had a site running great with Generate Press…until bought and uploaded the GP Premium Add-Ons pack on Friday 16 October. On 18 October the site became unusable due to this kind of redirect and crash.
After trying to get the Hostgator to deal with it…they wouldn’t, because they don’t dirty their hands with malware, and after spending two days removing plugins, directives, add-on domains…you name it. I was still left with the problem.
Finally, one hour ago I activated the 2012 theme in place of Generate Press, and there is no sign of the problem. I completely uninstalled GP and all its files from the domain, and so far all looks ok…although I am still seeing attempted logins from Russian IP addresses reported in Sucuri.
So, I will wait overnight to see if SiteLock and/or Sucuri report any more issues, and we will chat again. But at this time, it looks like the GP upgrade was the guilty party…unless you can shed any different light on things. Any help, advice and guidance will be gratefully recieved.
Regards, PeterOctober 22, 2015 at 11:34 am #146570TomLead DeveloperLead Developer
That’s very odd – no one else has reported anything like this.
Did you get any specific errors when the site crashed?
Can you try completely deleting your GP Premium plugin, and downloading a fresh copy from your account?: https://generatepress.com/account
If your hosting has been hacked, be sure to do a full scan and remove any malware you find.
Also change all passwords (cPanel, WordPress, FTP) and make sure you’r using the latest versions of all of your plugins and themes.
Also, make sure all of your plugins have been updated recently – old plugins no longer supported can have security holes in them.
Let me know what you find out.October 22, 2015 at 12:19 pm #146589bdbrown
they wouldn’t, because they don’t dirty their hands with malware
Exactly why I don’t trust a shared hosting provider to provide the security to protect my sites. Some hosts are probably better than others but I believe that security is the site owner’s responsibility. There are dozens of tutorials and tools available to address WP security. I’m not an expert but my guess would be that changing themes didn’t solve the problem. It may have disrupted the initial attack but, unless the root cause is identified and addressed, I think you’ll most likely see it again. There are other points of entry, some of which Tom mentioned above, that I’d be looking at before I’d suspect the GP theme or the Premium plugin.October 22, 2015 at 1:43 pm #146604TomLead DeveloperLead DeveloperMay 13, 2016 at 8:35 pm #194154Eli
My sites just got hacked in SiteGround with the same hack. Whateve Siteground says about their advanced security is simply false advertisement. They couldn’t stop it on the perimeter with all their ‘advertised intrusion detection systems and ModSecurty rules’ and their official response in support was ‘it is your problem’.
So I wouldn’t go s far as saying that their security is excellent. It is as bad as any other hosting out there, they just make a lot of false promises.May 13, 2016 at 8:37 pm #194155Eli
To the best of my knowledge the only host that officialy integrated with Sucuri and includes it in the price s WP Engine. The best hosting in the world, but too expensive for reselers.May 13, 2016 at 11:53 pm #194164TomLead DeveloperLead Developer
I’ve had some issues with Siteground lately as well with a few hobby sites.
Unfortunately, no shared hosting is going to be 100% secure.
- You must be logged in to reply to this topic.