Support » Fixing WordPress » Entire Site Suddenly in Italics

  • Resolved stacyjuba

    (@stacyjuba)


    Last night when I went to bed, my website was fine, but I just went on it this afternoon and the entire site is in italics. In the past, if a new blog entry posted and I forgot an ’em,’ tag that post and the sidebars and header would be in italics until I fixed the em tag but the rest of the site would be unaffected.

    In this case, the entire site has been changed to italics. All I was doing last night was working on blog posts. I wasn’t working on any widgets or pages.

    I tried trashing the latest posts in case there was something in them that I wasn’t seeing, and I even tried moving the latest draft posts and scheduled posts into the trash, however even doing that didn’t get rid of the italics. I am just not seeing any unclosed em tags. Is there a way to do a search for them or could it be another issue?

    Does anyone have a suggestion? The site is: http://stacyjuba.com/blog/

Viewing 15 replies - 16 through 30 (of 37 total)
  • I doubt that just deleting the script will removed the problem. You have an infected file somewhere.

    One of my clients also had this issue. I found the code in the Header.php file and removed it. I have warned her to change her password into the site and am now checking her GoDaddy account for unauthorized Admins. This is definitely a GoDaddy hack issue. So glad this string was on the forum. Thanks you guys!

    FYI – BTW, the required wordpress update should be done through the GoDaddy site (back up your site before updating and if you have problems updating call the GoDaddy customer service guys – they are great!). It is a legitimate update and doing it through their site makes it easy and relatively safe.

    Oh yeah, there was an additional ADMINISTRATOR shown as a user:

    systemwpadmin
    systemwpadmin@wordpress.org

    I took them down to subscriber so that i can watch them over the next few days. If there is no further activity on their part, I will remove them entirely.

    esmi

    (@esmi)

    Forum Moderator

    Thanks Esmi,

    Deleting the code handled the issue of the italics and the payanydayloan ad that was invisible. There is a java script right after the </div> that also needs to be removed.

    And the email used by the so called systemwpadmin user was a fake one as I tried to send to it and as I expected, it bounced.

    I did not need to further research the issue. But having this string in the forum may solve a lot of people’s problems (just as it did mine) – so thanks to everyone!

    Thank you, Carlanne – I went and looked and I had that same user name there so I removed it.

    I noticed that a lot of you are just simply removing the malicious script in header.php. I would highly recommend you search through all your php files in wp-admin, wp-includes, wp-content and uploads (pretty much all your files). I had found two malicious ones in two different folders.

    Thanks Jay – I am just not sure what to look for. I’m not very tech savvy and I’m afraid of deleting something that is important. How can you tell if a file is malicious? Do you do this from your WordPress dashboard or a host like Go Daddy, and is that something GO Daddy would guide me through over the phone?

    I am not sure if GoDaddy will assist you with that or not. I highly doubt it. You basically have to compare all of the files from a fresh WordPress download to the ones on your server now. Of course, you have to know which files you have uploaded as well.

    If your not familiar with ftp or what to look for, it would be worth hiring someone to clean it up for you or backing up from a previous version before you were infected (GoDaddy can assist you with this). I would also voice your concern with GoDaddy since it seems others that are infected with this also host on GoDaddy.

    At the bare minimum, you should be changing your WordPress, FTP and DB passwords.

    Go Daddy recommended installing these plug ins to scan for infected files:

    Anti Malware
    http://wordpress.org/extend/plugins/gotmls/

    The Sucuri Security
    http://wordpress.org/extend/plugins/sucuri-scanner/

    It found 1 known threat and quarantined it. I think I’m going to talk to the person who helped me set up the website as I want to follow some of the steps for what to do if you’ve been hacked, but some of it is beyond my technical knowledge. Thank you for the help, everyone!

    FYI, I am an admin (as the developer) on all my clients sites. If you are an admin on your site under “Appearances” there is a theme editor. clicking on this will take you to all the .php files of your theme. I then copied a piece of the malicious code:

    [hack link moderated]

    Then I hit Control-F – which is the find command and a box opens into which you can paste the code. Click on each of the files and then highlight or click in the find box where the code is and the find command will check the file for the code. It is intantaneous. You then click the next file (the code is still in the find box), click the box and it searches the file and says no matches found or will highlight the malicious code if it is in there.

    Personally, I cannot possibly take the time to read every line of code in all those files for the many clients I have so this is a quick solution to making sure the code is not embedded in another .php file besides the header. Just a thought for the more daring who are Administrators on their sites.

    Moderator Mark Ratledge

    (@songdogtech)

    Forum Moderator

    @jay and @stacyjuba:

    Read @esmi‘s links above. Simply changing passwords or using plugins will not suffice.

    If you can’t do the work yourself, consider looking for a reputable person to fix it correctly on jobs.wordpress.net or freelancing sites such as Elance. (It’s not a good idea to respond to unsolicited emails from forum users offering to work for you.)

    Moderator Mark Ratledge

    (@songdogtech)

    Forum Moderator

    @carlanne: that is absolutely not a solution and will not fix the root cause of the hack.

    esmi

    (@esmi)

    Forum Moderator

    @carlanne: You are making a very dangerous assumption – namely that the hacker only touched your theme’s code. What about plugins? Or core files? Hacker backdoors masquerading as .jpg files? If you do not de-louse your entire site properly, the hackers will just waltz right back in.

    @songdogtech thanks and I agree. Thats why I recommended this as a starting point

    I noticed that a lot of you are just simply removing the malicious script in header.php. I would highly recommend you search through all your php files in wp-admin, wp-includes, wp-content and uploads (pretty much all your files). I had found two malicious ones in two different folders.

    @carlanne from my experience, your solution will only temporarily work, the injected script will just return. I am just sharing my experience and telling you that I have found malicious files on two different occasions in the folders I listed above.

Viewing 15 replies - 16 through 30 (of 37 total)
  • The topic ‘Entire Site Suddenly in Italics’ is closed to new replies.