• Resolved smontic


    Hi Support forum.
    This morning I found my site defaced. The redirect took place at the alopoy.com site. I have identified as responsible the extension chapta of ultimate member. disabling it I solved the problem. Someone else with the same problem?
    Any solution?

Viewing 15 replies - 1 through 15 (of 24 total)
  • the same here, have an ultimate member and getting alopoy.com
    but, after stopping alopoy.com for being loaded it doesn’t return.

    Having the same issue. Im not using UM. Any idea how to resolve this issue?

    I have removed the pluggins i installed recently since it started happening.

    I’ve the same problem. I have UM and UM verified users, I disabled them but the issue remains.

    Ok, so i fixed my issue.

    You need to remove a script that has been placed in the header.php file.

    look for src=’https://cdn.eeduelements.com/jquery.js?ver=1.0.8′

    Once i removed this, the problem has gone.
    It seems as if a plugin has placed that code there, seemingly recapture is the issue as its common case for us all at the momoment.

    Hope if helps you guys.


    I had this script twice in my header.php
    even after removing it I still have this redirection…

    Make sure you delete the plugin or code associated with Google Recapture. That seem to be the issue for me. All my sites are back working fine now.
    I had to remove the two lines of code from EVERY site i manage!!!
    But there working now.

    Best of luck bud.

    I had the script twice in the header.php of the theme and 3 files .php in the home of the site with crypted text.
    Unfortunately removing them was useless

    Try installing the plugin Wordfence. This plugin told me exactly what was different and also shown me where the code was. might help you decipher where the issue is for you guys.

    Wordfence found more than 30 file modified with the malicious code! I’ve to open them one by one and correct them :,(

    I hope to solve the issue this time

    EDIT:Now my site is clean, thank you very much joeygam3in0

    • This reply was modified 2 years, 2 months ago by enembro.
    Plugin Support Ultimate Member Support


    Hi @smontic,

    Please make sure to update Ultimate member to the latest 2.0.23 version because it contains very important security fixes. The older version of the plugin had security vulnerability which we’ve fixed in the latest version of the plugin.


    well, my issue is still open and I have the latest version of the plugin…

    Anyone figured out whats causing the Scripts to be placed in the files?

    Mine came back this evening, although i remove the scripts and its working again, it seems there is still something pasting the scripts in.

    I had the same issues last evening and I repaired all files.
    1. Install wordfence and scan for file changes and correct the found parts.
    2.1. look for “eeduelements” in your full wordpress directory: grep -r “eeduelements” /var/www/PATH_TO_WORDPRESS/*
    2.2. look for “0xa8bd” in your full wordpress directory: grep -r “0xa8bd” /var/www/PATH_TO_WORDPRESS/*
    2.3 remove files with found parts or correct the relevant parts inside the files
    3. look for irregular 0777 file or directory permissions and correct them:
    – find /var/www/PATH_TO_WORDPRESS/* -type d -perm 0777
    – find /var/www/PATH_TO_WORDPRESS/* -type f -perm 0777

    the script writes a lot of stuff inside some files and creates some new files and changes file/directory permissions.

    another hint:
    look for new or modified .htaccess files in your wordpress directory and subdirectories

    This is way to complex for me! How am i running those commanndS?

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘Chapta extension with bug?’ is closed to new replies.