Hello, Sucuri detected SEO Spam on my site but when I scanned the site with your plugin, it didn’t detect any threat.
Here is the report Sucuri is giving: `Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?spam-seo.hidden_content.62
<body class=”home page-template-default page page-id-102 lightbox nav-dropdown-has-arrow elementor-default elementor-page elementor-page-102″><div style=”position:absolute;top:0;left:-9999px;”>`
Please help.
Thanks.
Being in cybersecurity, we’re currently investigating and testing out all WordPress plugins that implement browser-based cryptocurrency mining. At the time we posted this review, no WordPress plugins are currently doing it right or asking permission.
While not something that we recommend, if it’s done in an opt-in manner, where the site visitor is notified first, and no mining occurs without user permission, that is legitimate.
However that’s not what this plugin does. This plugin’s implementation is malware. It is a stealth miner, or cryptojacker, because it effectively hijacks the user’s browser for mining and will spike their CPU usage.
Potential users need to be aware that this plugin’s current implementation of JavaScript-based crypto-mining is considered malware by most users, web hosts, cloud security services (WAFs), and anti-virus apps.
There are a rash of these types of stealth miner scripts popping up on sites, and the risks they pose to site owners and visitors are not acceptable.
Most people do not want to have their browsers hijacked for mining cryptocurrency, especially without warning or option to opt-out.
Cloudflare, and many other cloud security WAFs and web hosts are kicking off users who run these types of scripts because they are considered malware when there is no transparency to the site visitor.
Google is even planning on adding code to Chrome to block mining scripts like this.
We recommend that all WordPress site owners avoid this type of script/plugin. Users can protect themselves by using browser anti-mining plugins, and strong antivirus. Most ad blockers don’t stop most in-browser cryptominers (yet)…many are working on adding this. Users need a specific browser add-on for cryptominers like “No Coin” and “minerBlock”, etc. Might want to use a couple as no single one blocks all of them.
This plugin makes some fundamental changes to WordPress core functionality.
The plugin author does not adequately warn users that using this plugin can cause major issues. We’ve done tech support on literally tens of thousands of WordPress sites, and have seen this plugin break things many times.
A plugin like this is really ill-conceived in the first place, as it makes major changes to the functionality of other plugins, with having a keen understanding of what they do.
We’ve done compatibility testing and tried a while back to create a compatibility solution.
Additionally, instead of working with other plugin authors, the dev, Jeff, decides to go adversarial, instead of taking a collaborative approach. In the latest update 9.2.3, he added malicious code that specifically targets only WP-SpamShield deactivates the plugin, and uses technique that prevents site owners from reactivating it, even when Plugin Organizer is disabled. (Full disclosure, I’m the lead dev of WP-SpamShield.) That’s not acceptable, as this is a leading anti-spam plugin, with almost 200,000 users. Plugin Organizer is leaving potentially thousands of site owners without anti-spam and security protection provided by WP-SpamShield, and without them knowing that this is happening. That fits the definition of malware.
It would be easy to provide a hook or whitelist feature that allows other plugins to opt out or opt in. That’s essential because not every plugin should be interfered with.
Hi All
At a complete loss here. Somehow, someone was able to insert a single line of ‘spam’-style text onto my homepage and I have no idea how to eradicate it. It reads “Cheap mulberry bags mulberry outlet online”. It can’t normally be seen on desktops as my menu bar usually covers it, but it’s really prominent when viewed on a mobile device. Thankfully, the text doesn’t seem to be a link. Can anyone direct me to the file I need to edit in order to remove this text?
After having taken all the security measures possible, I still kept on being hacked. I bought WordFence Premium and their audit service and now these reports about added malware to my site has finally stopped. Thanx for great work and personal support answering all my questions!
Asking on behalf of a friend. No really.
When searching for her site “Elizabeth Caton” the site description has been hijacked by some kind of malware that’s showing text from an Italian site
https://www.google.co.uk/search?q=elizabeth+caton
Do you have an idea how I can chase this down and eliminate it for her?
Thanks in advance.
My client received a notification last night that she had some malware on her site. One of which was from the Post Grid plugin. It was wp-content/plugins/post-grid/includes/menu/help.php reporting rex.obfu_string.001 malware. Are you aware of this injection? Because I looked at the file and didn’t see malware.
Wordfence is a truly outstanding security plugin. I have had nothing but good interactions with all members of the team. Recently, another plugin caused my website to be impossible to log in to, either as a public user or as an admin. Assuming the reason was malware, I submitted a request for them to clean the site. I was told that it would be 2 business days for them to get to my request. Before that time had elapsed, I had an email from Wordfence Support that my problem was another plugin which was operating improperly, that I should deactivate it and see if that fixed the problem, and guidelines on how to do that given that I could not log in to the website at all. The alternate way to deactivate the plugin worked, deactivating the plugin gave me my site back, and I was issued a full refund for the money I had put down for the malware clean (since the problem was not malware). Everything was done quickly, professionally, and courteously; I could NOT ask for more. Great company!
Hi,
I had malwares that redirects to another sites whenever I click anywhere on the site.
With your plugin I erased 4 of them, and now the redirects are no longer active, but instead, if I click, the browser open and about:blank page completely empty.
Do you have some advice for deleting this issue? I don’t understand what is left to delete.
Thanks
Hello, I might have a malware on my website. Whenever somebody visits the website and clicks on a link they are directed to some spam websites. I tried every security plugin there is but they cannot find any vulnerabilities. Please help.
Plugin installed that wa not caught by even your free scanner (which is usually very good).
Plugin “name”: injectbody/injectsrc
I found this after a site started redirecting users to a scam support page. However, Wordfence “high sensitivity” scan didn’t detect it. Has anyone else seen this and any ideas on where else could this be lurking? I can’t seem to find it anywhere else. Sucuri is still seeing the payload, but, Wordfence still does not see it.
Thanks,
HMS Products
It installs unwanted ads by onclickrev.com, it opens new tabs whenever you click anywhere inside an article
How to remove Malware found in the URL shown by sucuri.
Infected URL:
Did you encounter any problems/massive false alarms regarding OPcache activation?
A short time after I activated (for the first time) OPcache for my site, Wordfence reported 22 critical issues in various folders (themes, plugins, uploads) – even in/wp-content/plugins/wordfence/!
For all files the same diagnosis:
“The text we found in this file that matches a known malicious file is: “\x00″. The infection type is: Javascript code indicative of malware.”
I hope this could have been caused by OPcache activation and is not harmful?
Hi. I received a warning from Google Adwords yesterday that my WordPress website contains ‘malicious or unwanted software’, and therefore my Google Ads can’t run. I’ve run loads of free diagnostics and nothing is coming up. I’ve also run Wordfence, which has come up with 93 issues, no errors. If I upgrade to your Site Cleaning Service, is it guaranteed to solve this Google Ads issue please? Also, is the site clean-up done manually? Thanks.
Google has suspended my ads and i have used Anti-Malware from GOTMLS.NE to scan but still in vain, kindly help me remove them
http://defpush.com/ntfc.php?p=1567928
http://deloton.com/apu.php?zoneid=1482214
http://go.mobisla.com/notice.php?p=1482216&interactive=1&pushup=1
http://go.oclasrv.com/apu.php?zoneid=1482214
http://mobpushup.com/notice.php?p=1482216&interactive=1&pushup=1
Hello, i made my first website for a client and everything went smooth the first few days but then Adwords gave a message that it was infected. I have removed all malware in the scripts. Removed the folders which was made by the malware in the root, i used Anti-Malware Security and Brute-Force Firewall, and it found some changes in the theme and i let it fix it. But after several attemps to get the site reapproved from google they keep finding these links (reply from google):
“The latest (within the last hour) index had this potentially dangerous links:
http://defpush.com/ntfc.php?p=1551098
http://deloton.com/apu.php?zoneid=1505696
http://go.mobisla.com/notice.php?p=1505697&interactive=1&pushup=1
http://go.oclasrv.com/apu.php?zoneid=1505696
http://mobpushup.com/notice.php?p=1505697&interactive=1&pushup=1
I keep searching but cant Seem to find any of these links manually or with any malware checker. What to do next?
If this info helps, i think the malware came through my FTP-client ”FileZilla” which i have removed, and changed my FTP password.
I looked through a lot of the posts in this forum which helped me remove the malware, but google keeps finding these links..
Thanks for kind of help.
Hi
A lot of our Customers running older Versions of WordPress (4.7.x and 4.8.x) are having modified Files, especially index.php and wp-config.php. In the first Line of that Files, a pattern similar to the following one can be found:
<?php $ehvmxbm = ‘% x27Y%6<.msv`ftsbqA7>q%6< x7fw6* ….. (about 6000 Bytes more)
What kind of Malware is that? And can it be fixed by upgrading to 4.9.4. Or is a complete Reinstall advised?
Thanks for all help.
Should be banned from the WordPress plugins for the malware and redirects.
Don’t use this plugin.
Hello, i have the problem that my blog’s posts redirect to a spammy webpage. I was lucky to get a capture of the exact moment when the page was redirected and got the link of the SPAM PAGE: [spam URL removed] I’ve been all day trying to solve it and i’ve read lot of people with the same issue and solved it, others don’t (like me) in too many ways. I have the idea that i need to search for that link inside the scripts of the page but it’s crazy because it have a lot of files so i want to know how to do that please? thanks. Please really need help with this 