what are the instructions to upload the file? I assume google wants it in the root of the site, so via FTP, upload it to the same directory in which you have wp-config.php.

Hello -- I have SEO malware on this page specifically

http://bewithmedocumentary.com/#!cast/

that I cannot get rid of! Did scan and found files it says were known infectious and got them cleaned up BUT the SEO still shows at the bottom of the page. Would love to get help and donate if you can find anything to help me get rid of this!!

Thank you in advance!

https://wordpress.org/plugins/gotmls/

Scratch that -- took care of the problem!

Right or add a meta tag to the homepage <head>. So how do I do that? i dont see any upload options or anywhere that I can edit the home page to add the meta tag to.

"Upload the file" are the instructions there are no more details.

you'd upload the file via FTP.

An alternative to the FTP is if you have access to the Editor option under Appearance. You can access and edit the header.php file from there. Just put the code that google gave you before the </head> tag.

Screenshot: http://screencast.com/t/Qxa2SqBifZT

using appearance->editor to edit PHP files is asking for trouble... one little slip of the finger, one missing ";", or anything else resulting in a PHP error will bring down the site.

Editing of PHP should not be done via the WordPress UI.

Hi,

Site in trouble - http://mayankrungta.in
Version of WordFence - Version 6.1.8 # The drop down doesn't allow this version. I don't know why

I am debugging a potential attack on my site. In my attempt to do so I blocked several IPs trying to look for xmlrpc file. WordFence did not help me detect any problems. I am using the free version. Today I noticed another thing - the logs are flooded with the following messages -

[Mon Jun 13 18:30:31.061556 2016] [:error] [pid 15920] [client 104.223.253.156:59569] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:32.606659 2016] [:error] [pid 6266] [client 104.223.253.156:51692] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:33.257808 2016] [:error] [pid 14251] [client 104.223.253.156:37441] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:35.087847 2016] [:error] [pid 1850] [client 104.223.253.156:42470] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:40.181061 2016] [:error] [pid 14339] [client 104.223.253.156:56799] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:44.197842 2016] [:error] [pid 21426] [client 104.223.253.156:40075] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:44.262231 2016] [:error] [pid 14379] [client 104.223.253.156:40269] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:47.862139 2016] [:error] [pid 15898] [client 104.223.253.156:50468] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:50.442134 2016] [:error] [pid 9168] [client 104.223.253.156:57726] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:50.484498 2016] [:error] [pid 15920] [client 104.223.253.156:57861] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.

The IP I checked -

https://www.abuseipdb.com/check/104.223.253.156

didn't seem suspicious. Should I block this IP? I open the file and it looks like something has been injected into it -

$ cat ~/html/xxx.in/wp-content/wflogs/ips.php
<?php exit('Access denied'); __halt_compiler(); ?>
��.�W����\}*W���
c˯�*W���~
          ^�*W����޽*W��mɅd�*W���
h�*W���
k��*W��%s��WW��M����+W���&׵→W��%▮J←�→W���\I⎺→W����;�→W����←W����→←W��PR�9←W��[┌�JI├←W��↓�      b�←W��U�W���
┴�←W��LJ�↓W���   H �↓W��⒢�↓W��/W��[b·/W��]�)W��└d�┐┬0W��R�1W��Ú��o1W��=a�<�1W���ʡ�:W��ƓZ1W���ү�2W���tւ��2W��z����&4W��qf�0u4W���L�4W��p}|��4W��Y�H��4W���B�j5W���k��6W��>Ҙ�6W������a�6W���f���6W��>R��6W���ʡ��6W���7W�������7W���
                                                                                     8W��z�d��r8W���W���-!�:W��g��5W����UW����W���v#
                                                                                                                                    >W��)L�L>W��_�k>W��>Ң*:?W��-@��Z?W��l;T�Z?W��3�g�?W���_
                                              a��?W��Úӷ@W��XvX@W��.i

I re-ran WordFence scan and it continues to show clean. If the stuff in the php file is injected code why is the tool missing the file. I thought I sat and cleaned the whole site in the last few days and if it is still infected and tools aren't helping I am at a loss.

Please advise what should be my next steps. I am reverting to the version below obviously -

Additionally, I downloaded the latest wordpress code (4.5.2) and did a diff with the one I am using. There are no other altered files though gotmls is pointing me to suspicious files. I don't know what to do for wp-content. Was hoping that WordFence does that for me. Here is the output from gotmls -

.git/index
wp-content/plugins/better-wp-security/core/modules/core/js/mc-validate.js
wp-content/plugins/captcha/bws_menu/js/shortcode-button.js
wp-content/plugins/wordfence/js/jquery-ui-timepicker-addon.js
wp-includes/js/json2.js
wp-includes/js/json2.min.js
wp-includes/js/tw-sack.min.js
wp-includes/js/tinymce/tiny_mce_popup.js
wp-includes/pomo/translations.php

The above were identified as potential threats and I don't see ips.php here either. Maldetec also gave a clean chit -

# maldet -a /
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks <proj@rfxn.com>
(C) 2015, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(25582): {scan} signatures loaded: 10824 (8909 MD5 / 1915 HEX / 0 USER)
maldet(25582): {scan} building file list for /, this might take awhile...
maldet(25582): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(25582): {scan} file list completed in 18s, found 284696 files...
maldet(25582): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(25582): {scan} scan of / (284696 files) in progress...

maldet(25582): {scan} scan completed on /: files 284696, malware hits 0, cleaned hits 0, time 295s
maldet(25582): {scan} scan report saved, to view run: maldet --report XXXXXXXXXXX

Anything else that I should be doing? Any other info that I share can be of help?

The first of the errors occured at -

[Mon Jun 13 17:28:08.122791 2016] [:error] [pid 31218] [client 104.223.253.156:51079] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.

I changed the permission of .htaccess to give write access to user (not group www-admin) around that time. Not sure that can help trigger it. But that's all I can remember.

Also, I don't understand wordfence-waf.php resides in the root directory, shoudln't all plugin related files be contained within wp-content? Sorry if I am mistaken.

If it is any help, I ran into the word fence missing table error which is very prevalent I noticed (on forums) and only for WordFence specifically in my case. I reinstalled the plugin after deleting everything a day or so back. I commit the files to a git repository and then pull the changes to other sites keeping them consistent. I am considering not tracking wp-content anymore but then any inconsistency in files will be missed. Any advice there would help also.

Hope this helps.

Thanks in advance,
Mayank

https://wordpress.org/plugins/wordfence/

Right. However you'd still have access to the dashboard if you get a PHP error from editing the header.php. If you make a mistake from editing the header.php just remove the code that you added and it should work.

Besides, the codes that google wants you to add to the header are non-PHP so it shouldn't do harm. Again, just put it before the </head> tag. To be more specific:

PUT CODE HERE
</head>

I just checked and found that the wf-logs folder is filled with files. I am not sure if these are of any interest -

$ ls wp-content/wflogs/
attack-data.php    config.tmp.8s2DJI  config.tmp.DIfLPz  config.tmp.IILjYb  config.tmp.MNIIUD  config.tmp.Rlo8Gb  config.tmp.vWRL6G
config.php         config.tmp.8t1Nta  config.tmp.DOVqil  config.tmp.iNFvTP  config.tmp.mptVmR  config.tmp.ROyitH  config.tmp.w2fbSG
config.tmp.01SKtf  config.tmp.8X0P1n  config.tmp.DUxSzh  config.tmp.IPfBTL  config.tmp.MSRCZS  config.tmp.RRgdgp  config.tmp.w5LrTO
config.tmp.0fkrgE  config.tmp.8YElpQ  config.tmp.e7zaVX  config.tmp.IvL1Xs  config.tmp.MSU6Rm  config.tmp.RS6EzB  config.tmp.WDStkZ
config.tmp.0y3srO  config.tmp.91Cj0w  config.tmp.e9TeCU  config.tmp.IY3Lzm  config.tmp.MWMkO0  config.tmp.rUpYFC  config.tmp.wGAzgs
config.tmp.0zGb35  config.tmp.9HDGP9  config.tmp.Elhfoc  config.tmp.IZjoOy  config.tmp.mwvB3V  config.tmp.rUUGVd  config.tmp.WgUD8d
config.tmp.1yLpb2  config.tmp.9zPt7C  config.tmp.ELhXSX  config.tmp.J9998a  config.tmp.N1uzhJ  config.tmp.s4EO49  config.tmp.WjPUAk
config.tmp.1YYyt5  config.tmp.a0tZjO  config.tmp.eNP5t5  config.tmp.jABaSa  config.tmp.N300aO  config.tmp.SHT5Sl  config.tmp.WkLWCo
config.tmp.231J1a  config.tmp.A0ZNyx  config.tmp.ESaH0t  config.tmp.jihc1a  config.tmp.n3zcvJ  config.tmp.siOzbF  config.tmp.wqtRTy
config.tmp.2I5bU3  config.tmp.A3qvJy  config.tmp.EVbwNN  config.tmp.jIv0vt  config.tmp.nbRrMl  config.tmp.sPZ4Ga  config.tmp.WVtY8P
config.tmp.2k2gOo  config.tmp.a5C5cV  config.tmp.f0Ohb9  config.tmp.JNSCm1  config.tmp.NeHvVC  config.tmp.Sr0GCZ  config.tmp.wzs9Jd
config.tmp.2k69ad  config.tmp.aAe9TD  config.tmp.F2TMNn  config.tmp.jQbQaD  config.tmp.nhHXXg  config.tmp.sRdebM  config.tmp.wZsSFH
config.tmp.2MDe92  config.tmp.aCD5OC  config.tmp.F61sDj  config.tmp.jQv86R  config.tmp.nqirDn  config.tmp.st6JKU  config.tmp.x2o81C
config.tmp.2THUwE  config.tmp.acIxAb  config.tmp.F8YMIB  config.tmp.jRCTHz  config.tmp.ntab8a  config.tmp.sweid9  config.tmp.Xb9Lkc
config.tmp.2UEPNR  config.tmp.ACZ1a3  config.tmp.fbhac7  config.tmp.jvXHW6  config.tmp.nuVrXD  config.tmp.sxkpDK  config.tmp.XIUz0u
config.tmp.329DpF  config.tmp.ANfbpH  config.tmp.FGeSoP  config.tmp.JZZv0M  config.tmp.NYhwgZ  config.tmp.t1RaUd  config.tmp.xLVaba
config.tmp.3AuMiE  config.tmp.av0u7Z  config.tmp.FMd53m  config.tmp.K9l9BL  config.tmp.o274k8  config.tmp.Ta6XiN  config.tmp.XOfBl9
config.tmp.3BZY9k  config.tmp.AX5WJc  config.tmp.fMvB8N  config.tmp.KA6JPr  config.tmp.Ob54X1  config.tmp.tdx9xH  config.tmp.Xq8UbE
config.tmp.3DKjpJ  config.tmp.aXvFF5  config.tmp.frlDgg  config.tmp.KAuvGm  config.tmp.okWZzv  config.tmp.TETdAb  config.tmp.xs1PAi
config.tmp.3DWjYD  config.tmp.aZB4k7  config.tmp.fS8zLI  config.tmp.KCCud9  config.tmp.omYnok  config.tmp.TewyMz  config.tmp.xym3KV
config.tmp.3xAeri  config.tmp.b06Hzk  config.tmp.FVfI0b  config.tmp.kCilz2  config.tmp.OPCejV  config.tmp.thTZTt  config.tmp.Y2NqHf
config.tmp.40rf5f  config.tmp.b33S8y  config.tmp.G7ldpr  config.tmp.KEcP1x  config.tmp.oQQkc5  config.tmp.TiCb8X  config.tmp.Y4yuD0
config.tmp.45gToR  config.tmp.b7fst9  config.tmp.G7wi60  config.tmp.KEFRla  config.tmp.ospPgY  config.tmp.u0Onc2  config.tmp.y5fNJn
config.tmp.4CZGdU  config.tmp.B7Wz3L  config.tmp.g9fvnB  config.tmp.KF4Kfu  config.tmp.oTfHoC  config.tmp.U77u5z  config.tmp.yAtViy
config.tmp.4OqJh5  config.tmp.B8WGLp  config.tmp.ga4OOH  config.tmp.KOBqnu  config.tmp.pahbo4  config.tmp.U8lgFb  config.tmp.Yn7V81
config.tmp.4Ry8F2  config.tmp.BGv4lY  config.tmp.gAhL12  config.tmp.KSIJ0B  config.tmp.pfxhmo  config.tmp.uAlJwq  config.tmp.yzOKyd
config.tmp.4W21Sc  config.tmp.BnQsQ7  config.tmp.Gb0BP1  config.tmp.KTHSQt  config.tmp.pggkgv  config.tmp.Uc0ET1  config.tmp.z5bocW
config.tmp.5GWFAu  config.tmp.bPStgh  config.tmp.geVMp4  config.tmp.l2tJ1K  config.tmp.pVHry0  config.tmp.ufL4RD  config.tmp.z90Whx
config.tmp.5hdDnF  config.tmp.bsSPsH  config.tmp.ggyPYz  config.tmp.L5gQ7x  config.tmp.PwRg2F  config.tmp.UHDoOY  config.tmp.ZcO1rl
config.tmp.5tNRy7  config.tmp.BTLeK3  config.tmp.gwblPy  config.tmp.l5JwRi  config.tmp.pYTuA9  config.tmp.uJY9jV  config.tmp.ZEEs1z
config.tmp.6fd1q5  config.tmp.ccwlWI  config.tmp.Gys61a  config.tmp.l6suMm  config.tmp.q5mkQk  config.tmp.uNcdlK  config.tmp.zilkah
config.tmp.6fe86Q  config.tmp.cECAiv  config.tmp.H5HiWU  config.tmp.lCt71w  config.tmp.qaso50  config.tmp.uPxLXR  config.tmp.zJy0mD
config.tmp.6g2wrO  config.tmp.cgHvtw  config.tmp.hdEaIJ  config.tmp.lh65sH  config.tmp.qFZjgF  config.tmp.V1bVJC  config.tmp.ZQR3x2
config.tmp.6PPXkb  config.tmp.cklHkt  config.tmp.hdsjtY  config.tmp.lnUdrs  config.tmp.QJtEaB  config.tmp.v2IC38  config.tmp.zvVGHY
config.tmp.6TJUBJ  config.tmp.CMtIq7  config.tmp.hiSXoG  config.tmp.LOfJhS  config.tmp.qyyv8B  config.tmp.vBDvi1  config.tmp.ZYeXtp
config.tmp.6zqvIz  config.tmp.CNtbA5  config.tmp.HJXBcB  config.tmp.m1NdQM  config.tmp.r6LA3F  config.tmp.vcpVYN  config.tmp.ZYSMw6
config.tmp.77PsZZ  config.tmp.cR3Kji  config.tmp.hLClG0  config.tmp.mahXdx  config.tmp.RcuQxE  config.tmp.vcQzfJ  config.tmp.zZRRLo
config.tmp.7EzDhU  config.tmp.crj9JR  config.tmp.HMJ1Kg  config.tmp.mAmg2X  config.tmp.RDscbh  config.tmp.vd5okE  ips.php
config.tmp.7nwYMJ  config.tmp.CzcyLb  config.tmp.hMYNDv  config.tmp.MFbYzU  config.tmp.rDYpHn  config.tmp.vJAbLI  rules.php
config.tmp.7OAFjk  config.tmp.d20ulm  config.tmp.hT2QjA  config.tmp.MjG75C  config.tmp.rJvyam  config.tmp.VJxJgz  wafRules.rules
config.tmp.8fy0qs  config.tmp.D9lwwT  config.tmp.hWkr02  config.tmp.mKbXi7  config.tmp.RkrIYr  config.tmp.vNpL4y
config.tmp.8NWJMn  config.tmp.DdZQUB  config.tmp.ic7VdZ  config.tmp.MmZ8iU  config.tmp.RKvMfB  config.tmp.vwAAL6

Another thing I did was change the owner of the folders around this time -

# ll /opt/html/xxx.in/wp-content/wflogs/ips.php
-rw-r--r-- 1 mayank www-data 51 Jun 13 19:22 /opt/html/xxx.in/wp-content/wflogs/ips.php

My guess is the error from the log will go away, if I open the permission to this file to www-data. But is that a safe thing to do considering that open permission led to the extraneous code in the file?

Also the IPs in the later logs are all strange. Some showing in the abuseip dataase others not. I don't know what to make of them -

[Mon Jun 13 17:28:27.759653 2016] [:error] [pid 13188] [client 195.62.53.138:39272] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:28.587749 2016] [:error] [pid 32637] [client 195.62.53.253:49177] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:28.723774 2016] [:error] [pid 17915] [client 195.88.209.159:60975] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:29.344031 2016] [:error] [pid 31218] [client 195.62.53.138:44910] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:29.349683 2016] [:error] [pid 28599] [client 104.223.253.156:60185] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:30.945144 2016] [:error] [pid 14058] [client 195.62.53.138:50482] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:31.431432 2016] [:error] [pid 31205] [client 188.42.255.244:43879] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:31.672153 2016] [:error] [pid 16083] [client 195.62.53.9:42060] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:32.233086 2016] [:error] [pid 15280] [client 104.223.253.156:37290] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:32.521239 2016] [:error] [pid 13188] [client 195.62.53.138:56058] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:32.637473 2016] [:error] [pid 32637] [client 172.245.10.116:36448] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 17:28:34.693266 2016] [:error] [pid 17915] [client 195.62.53.253:55923] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.

Kindly advise,
Mayank

Is this the place to post queries about wordfence? I see no response so far. This issue is getting critical. I open the permission and I see something suspicious in the file again and this time in two sites -

$ cat ips.php
<?php exit('Access denied'); __halt_compiler(); ?>
^@^@^@^@^@^@^@^@^@^@ÿÿhÅ<Ö5Â_W

Look forward to some quick advice about this. For now I have disabled write on this file.

Thanks in advance,
Mayank

Hi guys, i need help

My Sites keep getting malware and google block them. 5 days ago i remove all malware from hosting and google review and unblock it from red malware site. now this happen again. Sites got again malware? What do any ideas?

When you clean up malware, you need to make sure that you also identify and close the vector they used to get in. If you just clean up the symptoms without closing the vector, they'll just keep doing it.

Remain calm and carefully follow this guide. When you're done, you may want to implement some (if not all) of the recommended security measures.

Thank you James for reply,

My support agents are not that good, and they keep telling me to recreate the domains, i don't want to recreate them, they mean delete everything and start new. I invest 4 years in that websites so i don't know what to do.

I've been through all process and clean all malware, but i don't know how to close the vector they get to use it get in. From where to start James?

There are several paid services out there that will fix your site and keep watch over it. I use Sucuri (I don't work for them just use their service).

You'll need to follow all of the above-mentioned guide yourself, starting at the top. It covers all possible known vectors.

Alternatively, you could hire a firm that specializes in this and has good standing in the community, like https://www.sucuri.net or https://vaultpress.com

There's a bot (or maybe several) that have been accessing the same URL on my site over and over. It's http://mysite.com/mynewestpost/?share=email&nb=1

I had Wordfence run a Whois and it's from Krypt Technologies, also known as VPLS, and Google says it's a shady ISP that tends to allow or cooperate with spammers and malware and hackers.

Of course I manually blocked the 8 IP addresses in use, but the bots are still attempting to access that one URL anywhere from every 3-7 seconds. Each one has 2000-3000 hits in total.

My question is what are these bots trying to do by accessing the email share feature over and over? Are they spamming, trying to DoS me, probing for a vulnerability in the share feature? I guess I just am not sure why it's only accessing that single URL and not attempting to access any other pages.

https://wordpress.org/plugins/wordfence/

It's probably looking for a vulnerability or way of doing email spam. Waste of time to try and figure out why you get attacked, frequently you're just crawled because you are a website, along with thousands or millions of others. If you don't like bots hitting that URL, put it in your Wordfence "Immediately block IP's that access these URLs" and use it as a honey trap. Fun to watch over coffee as the bots get blocked (though it'll make you wonder how they get to you in the first place, as such bots should be blocked as part of the Wordfence network). Am pretty sure you'd put it in to the "Immediately block..." as /*/?share=email&nb=1

MTN

Hello mayankrungta,
no you should not block that file. There is nothing malicious about what you are seeing there. It's obfuscated data that Wordfence needs to write to the file.

Did you have any other questions?