You may need a custom plugin for this. I can not think of any other way to do it.
where is that string coming from in the first place?
My guess is it is being added by a plugin and the code is being copied from “View source” or developer tools in the browser. I have seen similar code in posts/pages on some clients websites but my clients did not know where it came from; so I went through and removed it manually for them any time I saw it.
Thread Starter
cryx
(@cryx)
I have spam on my website that looks like this:
<div class="_all_wplink_xxx_xxx"> and a bunch of invisible irrelevant commercial links all over my pages. If I remove it through the CMS it’s back in a few days. I have used a lot of security plugins and other solutions from https://www.cocept.io/blog/development/removing-seo-spam-from-wordpress/
https://aw-snap.info/articles/spam-hack-wordpress.php
But I can’t find any related things on how to remove it. Right now I’m using this CSS code to stop my customers from clicking on the links by mistake:
div[class^='_all_wplink_'],div[class*=' _all_wplink_'] {
visibility: hidden;
display: none;
}
It helps, for now. But the code is still inide my CMS/WYsiwyg and it’s annoying. I should be able to just set to strip all div-tags, of course that’s not very good and could cause other divs to be removed. So I need to be specific to only remove divs containing _all_wplink_.
It sounds like your site has been compromised. First things first, change you passwords for the server and wordpress. Then run the security check over here: https://sitecheck.sucuri.net/. Once you have run the test please share the results with us and we will provide feedback on how to fix this permanently.
Thread Starter
cryx
(@cryx)
I got nothing special. No Malware detected. I don’t think this commercial script even counts as Malware tbh.
Personally, I would not advise WordFence. I have had bad luck with it! The only thing I can think of if you insist that you do not have malware is that a plugin is adding it. Would you provide a full list of the plugins you are using and also tell us the name of your theme?
Thread Starter
cryx
(@cryx)
Yep, I used the wordfence plugin and it just showed me the infected pages and told me to edit them, as I already have countless times but the spam comes back in a few days. One thing I’ve noticed though is that the spam always comes from my client’s main account, because in the version history I find this:
Version of client’s name
3 days ago (11 Jun @ 05:52)
and the content is full of spam.
I’ve told him to do a full virus and malware scan on his home computer which he says he have done, so I guess that’s not it. My next thought was maybe that the admin.php file or something is corrupt or hacked on my FTP. Which file in WordPress is handling the edit process for admins? Still I would think Wordfence and similar scans would’ve found anything suspicious if that were the case. I can’t find any suspicios base64_decode or edoced_46esab in any of my files either.
Thread Starter
cryx
(@cryx)
Sure. I am using Neighbourhood theme (bought at theme-forest). Have already asked around at their forum support, but they don’t have a problem with spam.
All the modules:
Query Monitor: av John Blackbourn – 2.11.0
Add Admin CSS: av Scott Reilly – 1.4
All In One WP Security: av Tips and Tricks HQ
Peter Ruhul
Ivy – 4.1.0
Cimy User Extra Fields: av Marco Cimmino – 2.7.1
Contact Form 7: av Takayuki Miyoshi – 4.4.2
Enhanced Text Widget: av Boston Dell-Vandenberg – 1.4.5
Export User Data: av Q Studio – 1.3.1
Force First and Last Name as Display Name: av Stranger Studios – .2
Loco Translate: av Tim Whitlock – 1.5.5
Log Deprecated Notices: av Andrew Nacin – 0.3
Login LockDown: av Michael VanDeMar – v1.6.1
MailChimp for WordPress: av ibericode – 3.1.7
Maintenance: av fruitfulcode – 2.7.1
P3 (Plugin Performance Profiler): av GoDaddy.com – 1.5.3.9
Really Simple CAPTCHA: av Takayuki Miyoshi – 1.9
Remove query strings from static resources: av Your WP Expert – 1.3
Slider Revolution: av ThemePunch – 5.2.5
Simple History: av Pär Thernström – 2.7
Speed Booster Pack: av Tiguan – 2.8
User Role Editor: av Vladimir Garagulya – 4.25.2
W3 Total Cache: av Frederick Townes – 0.9.4.1
Widgets on Pages: av Todd Halfpenny – 0.0.12
WooCommerce – Store Exporter: av Visser Labs – 1.8.6
WooCommerce Klarna Gateway: av WooThemes – 2.0.1 – 2.1.6 finns tillgänglig
WooCommerce Points and Rewards: av WooThemes – 1.5.12
WooCommerce Discount by Roles: av Risto Niinemets – 1.3
WooCommerce Tax Toggle: av raisonon – 1.0.4
WooCommerce: av WooThemes – 2.5.5
WooThemes Helper: av WooThemes – 1.2.4
Wordfence Security: av Wordfence – 6.1.8
WP-Optimize: av Ruhani Rabin – 1.8.9.10
WP Smush: av WPMU DEV – 2.3
Something was definitely compromised based on what you are saying. Make sure that you are using the latest version of your theme. Upload all files manually to the server to be sure none were compromised. Also, look for files that do not look like they belong within your site. Files that were there before the hack may not have been modified and files that were added from the hack or otherwise with malicious code may not get picked up by the malware scans.
I have to say that I have never heard of a plugin call IVY either.. that might be the problem right there!
There is a theme call Ivy (also sold on themeforest) but never heard of a plugin by that name!
I strongly recommend WordFence. In any case, glad it found something.
However, your site is hacked and it needs to be cleaned. Here’s some info.
Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
If you can’t clean it yourself, both sucuri and wordfence offer a commercial cleaning service.
Thread Starter
cryx
(@cryx)
Yeah I deleted my comment because I realized his name was Peter Ruhul
Ivy for the plugin All In One WP Security. It was the word wrapping that confused me.
