WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [closed] Entire Site Suddenly in Italics (38 posts)

  1. stacyjuba
    Member
    Posted 1 year ago #

    Last night when I went to bed, my website was fine, but I just went on it this afternoon and the entire site is in italics. In the past, if a new blog entry posted and I forgot an 'em,' tag that post and the sidebars and header would be in italics until I fixed the em tag but the rest of the site would be unaffected.

    In this case, the entire site has been changed to italics. All I was doing last night was working on blog posts. I wasn't working on any widgets or pages.

    I tried trashing the latest posts in case there was something in them that I wasn't seeing, and I even tried moving the latest draft posts and scheduled posts into the trash, however even doing that didn't get rid of the italics. I am just not seeing any unclosed em tags. Is there a way to do a search for them or could it be another issue?

    Does anyone have a suggestion? The site is: http://stacyjuba.com/blog/

  2. Andrew
    Forum Moderator
    Posted 1 year ago #

    Your missing </i> tag is probably on, "Payday Loans Online" just under the <body> element
    view-source:http://stacyjuba.com/blog/

  3. stacyjuba
    Member
    Posted 1 year ago #

    Hi Andrew, I don't see anything that says Payday Loans online. It shouldn't be there - can you tell me where you're seeing it?

  4. Andrew
    Forum Moderator
    Posted 1 year ago #

    Did you check out that view-source link?
    By your reaction, it sounds as though you've been hacked.

  5. stacyjuba
    Member
    Posted 1 year ago #

    I do see that now - could you direct me to where do I go on my WordPress dashboard to find and delete that code from my dashabord? And if I've been hacked, is there anything I can do to keep them out - change the password? Thanks so much for your help!

  6. ecrip
    Member
    Posted 1 year ago #

    All of my posts suddenly went italic too. Checked source...no problems found.

  7. Andrew
    Forum Moderator
    Posted 1 year ago #

  8. jeremytabby
    Member
    Posted 1 year ago #

    I think so re: hacked..it just happened to me...someone placed this code in my header.php:

    <div id='hideMe'> <p><i> Online Payday Loan Online Payday Loan</div>

    Same problem...when the page assembles, the missing closing italic tag causes the whole page -- and therefore EVERY page - to be italicized.

    Use your editor to take out the offending <div> from header.php, and all should be well.

    It happened suddenly. while I was working on the site. By any chance are you hosted at GoDaddy?

  9. jeremytabby
    Member
    Posted 1 year ago #

    Still wrong, I'm sorry...not using the correct back ticks:

    <div id='hideMe'> <p><i> Online Payday Loan <a href="http://12minpaydayloans.com/">Online Payday Loan</a></div>

  10. stacyjuba
    Member
    Posted 1 year ago #

    Wow I am glad I posted. Yes I am on Go Daddy and that is the code Andrew found. I'll see if I can go get rid of it first then check out the what to do if you've been hacked references - thanks for those, Andrew! So perhaps we should also contact Go Daddy?

  11. Andrew
    Forum Moderator
    Posted 1 year ago #

    Yes, contacting your hosts wouldn't hurt. I'm not sure whether they cover for things like this though.

  12. stacyjuba
    Member
    Posted 1 year ago #

    Thanks so much - it looks like I fixed it - now to do the above steps to keep the idiots from doing any more damage. Thank you again!

  13. Andrew
    Forum Moderator
    Posted 1 year ago #

    And Thank you for contributing to the WordPress community :)
    This thread will help others experiencing the same issue.

  14. ecrip
    Member
    Posted 1 year ago #

    Found a unexpected user on my called systemadmin (something like that). Should have copied the name before I deleted it but I didn't. User was deleted.

    Ran scans: Sucuri & Unmask Parasites. No problems identified.
    Contacted GoDaddy; await reply

    Anyone have more on this text to italics issue?

  15. Andrew
    Forum Moderator
    Posted 1 year ago #

    Sorry ecrip, you'll have to create your own thread on the issue for support.

  16. stacyjuba
    Member
    Posted 1 year ago #

    My update is just that deleting the pay online code worked, and Go Daddy told me there was a required WordPress update in red that needed to be done so they recommended that I do the update.

  17. Jay
    Member
    Posted 1 year ago #

    I doubt that just deleting the script will removed the problem. You have an infected file somewhere.

  18. carlanne
    Member
    Posted 1 year ago #

    One of my clients also had this issue. I found the code in the Header.php file and removed it. I have warned her to change her password into the site and am now checking her GoDaddy account for unauthorized Admins. This is definitely a GoDaddy hack issue. So glad this string was on the forum. Thanks you guys!

    FYI - BTW, the required wordpress update should be done through the GoDaddy site (back up your site before updating and if you have problems updating call the GoDaddy customer service guys - they are great!). It is a legitimate update and doing it through their site makes it easy and relatively safe.

  19. carlanne
    Member
    Posted 1 year ago #

    Oh yeah, there was an additional ADMINISTRATOR shown as a user:

    systemwpadmin
    systemwpadmin@wordpress.org

    I took them down to subscriber so that i can watch them over the next few days. If there is no further activity on their part, I will remove them entirely.

  20. esmi
    Forum Moderator
    Posted 1 year ago #

  21. carlanne
    Member
    Posted 1 year ago #

    Thanks Esmi,

    Deleting the code handled the issue of the italics and the payanydayloan ad that was invisible. There is a java script right after the </div> that also needs to be removed.

    And the email used by the so called systemwpadmin user was a fake one as I tried to send to it and as I expected, it bounced.

    I did not need to further research the issue. But having this string in the forum may solve a lot of people's problems (just as it did mine) - so thanks to everyone!

  22. stacyjuba
    Member
    Posted 1 year ago #

    Thank you, Carlanne - I went and looked and I had that same user name there so I removed it.

  23. Jay
    Member
    Posted 1 year ago #

    I noticed that a lot of you are just simply removing the malicious script in header.php. I would highly recommend you search through all your php files in wp-admin, wp-includes, wp-content and uploads (pretty much all your files). I had found two malicious ones in two different folders.

  24. stacyjuba
    Member
    Posted 1 year ago #

    Thanks Jay - I am just not sure what to look for. I'm not very tech savvy and I'm afraid of deleting something that is important. How can you tell if a file is malicious? Do you do this from your WordPress dashboard or a host like Go Daddy, and is that something GO Daddy would guide me through over the phone?

  25. Jay
    Member
    Posted 1 year ago #

    I am not sure if GoDaddy will assist you with that or not. I highly doubt it. You basically have to compare all of the files from a fresh WordPress download to the ones on your server now. Of course, you have to know which files you have uploaded as well.

    If your not familiar with ftp or what to look for, it would be worth hiring someone to clean it up for you or backing up from a previous version before you were infected (GoDaddy can assist you with this). I would also voice your concern with GoDaddy since it seems others that are infected with this also host on GoDaddy.

    At the bare minimum, you should be changing your WordPress, FTP and DB passwords.

  26. stacyjuba
    Member
    Posted 1 year ago #

    Go Daddy recommended installing these plug ins to scan for infected files:

    Anti Malware
    http://wordpress.org/extend/plugins/gotmls/

    The Sucuri Security
    http://wordpress.org/extend/plugins/sucuri-scanner/

    It found 1 known threat and quarantined it. I think I'm going to talk to the person who helped me set up the website as I want to follow some of the steps for what to do if you've been hacked, but some of it is beyond my technical knowledge. Thank you for the help, everyone!

  27. carlanne
    Member
    Posted 1 year ago #

    FYI, I am an admin (as the developer) on all my clients sites. If you are an admin on your site under "Appearances" there is a theme editor. clicking on this will take you to all the .php files of your theme. I then copied a piece of the malicious code:

    [hack link moderated]

    Then I hit Control-F - which is the find command and a box opens into which you can paste the code. Click on each of the files and then highlight or click in the find box where the code is and the find command will check the file for the code. It is intantaneous. You then click the next file (the code is still in the find box), click the box and it searches the file and says no matches found or will highlight the malicious code if it is in there.

    Personally, I cannot possibly take the time to read every line of code in all those files for the many clients I have so this is a quick solution to making sure the code is not embedded in another .php file besides the header. Just a thought for the more daring who are Administrators on their sites.

  28. @jay and @stacyjuba:

    Read @esmi's links above. Simply changing passwords or using plugins will not suffice.

    If you can't do the work yourself, consider looking for a reputable person to fix it correctly on jobs.wordpress.net or freelancing sites such as Elance. (It's not a good idea to respond to unsolicited emails from forum users offering to work for you.)

  29. @carlanne: that is absolutely not a solution and will not fix the root cause of the hack.

  30. esmi
    Forum Moderator
    Posted 1 year ago #

    @carlanne: You are making a very dangerous assumption - namely that the hacker only touched your theme's code. What about plugins? Or core files? Hacker backdoors masquerading as .jpg files? If you do not de-louse your entire site properly, the hackers will just waltz right back in.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags