Hacked site? Strange text in header (12 posts)

  1. peps2004
    Posted 2 years ago #

    For the last few days, there seems to be this weird Payday loan text showing up in the description field for posts in Google results, on Facebook, etc.

    It somehow looks like this has been inserted into our header. To fix this, is it just a case of removing the section beginning <p class="nemonn"> and ending </p> after bankruptcy?

    If not, what else do I need to fix? Also, is there any way of finding out how this happened? I'm using the latest version of WordPress and all my plugins have been up to date.

    The site is http://youthworkinit.com/blog/ if that helps locate the issue.

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

  2. WPyogi
    Forum Moderator
    Posted 2 years ago #

  3. nb123
    Posted 2 years ago #

    I have the exact same issue today..hosted on godaddy

  4. WPyogi
    Forum Moderator
    Posted 2 years ago #

    Aw, sorry to hear that - it seems to be a lot of people. Use the resources above and insist that they help you and/or give you a credit. You might also want to consider changing hosts.

  5. nb123
    Posted 2 years ago #

    Thank you.I was curious,were these issue had godaddy as common hosting denominator?i am seriously considering to change the host.Please suggest me some good hosts by experience.

  6. WPyogi
    Forum Moderator
    Posted 2 years ago #

    So far as I understand it, some of their servers got hacked -- so then the sites on the servers were also hacked. But I really don't know anything for sure or in detail. But they do seem to have a lot of problems and unhappy customers - just based on what I've seen here.

    I know all of the hosts on this page: http://wordpress.org/hosting/
    are good and support WP well. You could go to their sites and see what you think.

  7. Emily
    Posted 2 years ago #

    See this post for possible help!

    Theme files hacked, link added after body tag

  8. brainstain
    Posted 2 years ago #

    Im not a Godaddy fan, even tho I have several domains there, but I have this problem too.
    Like said above, it could be a plug-in that got added that allowed then insert of the code.
    I had this problem about 1 month ago, with several sites mentioned in the hacked area, not just the loan links.

    I do SEO, and my software that checks my coding is what found it, oddly enough. So I went digging in my WP editor area, and went one template at a time and searched for the word "loan". I dont remember which template I found it in back then, but just now I found it in the header.php and saw there were several domains hidden in there, not all about loans, when I was just looking for favao diet

    I copied one domain and pasted it into a browser to see the site and who the owner might be to track it, but got a 404 page error. So maybe they got found out, and had to cancel their site.
    To clean it, I was able to delete (and this is just what I did, it worked, but you need to know some html and be safe), I deleted the code including from <div> to the end of it </div> and all the loan referenced and any other domains found in that area.

    It was in the Twenty Eleven theme, but I cant say it was because of the Twenty Eleven theme, it could have been a plugin, but I only have a couple of plugins, so I dont know where it came from, but its gone now.

  9. goldmember
    Posted 2 years ago #

    is there anyway, or any sort of plugin, that will automatically find these sorts of issues?

    i was very very lucky to have stumbled upon it. i just happened to be looking at the code for something else right there. but its very rare that i'm looking that closely at the code. and if this appeared somewhere else in the code, and not towards the top of each page, i would have never seen it.

    so i'm hoping for some way to be alerted that its there as soon as it appears.

    any ideas? thanks in advance.

  10. Emily
    Posted 2 years ago #

    I use a plugin called WordFence, which can be set to notify of any changes to the core files, plugins, and themes. I've also used Sucuri Security - SiteCheck Malware Scanner, which you can use for a manual scan of the site. The Sucuri plugin also provides some hardening features which are useful.

    Hope this helps!


  11. dwestjr
    Posted 1 year ago #

    My header file had been hacked 4-5 times over the last 6 months with Canadian pharmacy content "Buy Levitra / Viagra Online", etc.

    I would always DELETE the bad code, then a few months later, it "appeared" again.

    Per Emily's suggestion, I installed the plugin called WordFence, ran a Scan,
    and it found the malicious script code hidden in my database as -


    (all other files were images, this was the only script)

    Steps taken:
    - Allowed WordFence to DELETE the bad code
    - Signed into GoDaddy / Control Pane/ FTP File Manager to 'Edit' and verify the 'Critical' issue was resolved, and the malicious code was gone.
    - Ran Scan again, it was "clean" with no issues
    - Changed my WordPress, and Database PWs

    I have researched this error for months, and have seen many comments & concerns with GoDaddy hosting. I know there was a world-wide brute force attack on WordPress a few months ago, and some GoDaddy servers may have been compromised.

    Does anyone have any better hosting recommendations? I'm thinking I need to host my site elsewhere.

    Hope I can save someone else the pain I experienced, and that Wordfence will catch any unauthorized code changes going forward.

    Thanks for the tip Emily.

  12. esmi
    Forum Moderator
    Posted 1 year ago #

Topic Closed

This topic has been closed to new replies.

About this Topic