Support » Fixing WordPress » Page is acting weird – settings gone + database content deleted

  • Dear support team,

    I have a strange behavior found on my blog pages.

    On two of my plugins the saved settings are disappearing after a few hours.
    profitbuilder
    Insert Html Snippet

    Problems on profitbuilder
    The saved license credentials are gone and only the old prior credentials are stored in license setting. Even if I store the settings new, after a few hours those settings are gone and the old settings are saved instead of the new ones.
    Therefore the plugin is not working anymore which destroy my homepage and other pages which are built with profitbuilder page editor.
    Screenshot > https://www.screencast.com/t/QWkfBDuzHRk
    Page> https://www.2share.info/

    Problems with Insert Html Snippets
    The setup snippets are gone and not found any more even in the database. After importing again those via CSV file those snippets are gone too after a few hours.
    Screenshots
    Database table > https://www.screencast.com/t/pwSJpWa8eKp7
    Page Content missing > https://www.screencast.com/t/K0bqczuat5gF
    Page > https://www.2share.info/products/

    Steps done:
    – updated wordpress
    – updated all plugins
    – scanned for virus impact by using “anti malware” and “wordfence
    > nothing found

    Still the problem persits of missing content after a few hours.

    I am looking forward to your helping advices and leave you with my
    best regards, Alex

    The page I need help with: [log in to see the link]

Viewing 14 replies - 1 through 14 (of 14 total)
  • abletec

    (@abletec)

    Hello, wci, & welcome.

    In looking at your domain via MXToolbox, it appears you’re using Cloudflare. My first thought is to disable cache & see if that helps. I don’t use Cloudflare, I therefore don’t have any idea how to do that. Sorry.

    Database corruption may also be an issue, as may be a site compromise, as sometimes it’s wise to alter Wordfence’s settings to catch more evidence of a hack. Let’s try disabling cache first though & see if it helps.

    Thread Starter wci

    (@wci)

    Hi Abletec,
    I hope you are well and sorry for the late response as the holiday time came to spend with my family.

    I’ve deactivated Cloudflare and repaired the setup of both issues and re-run the scan with anti-mailware and wordfence, but still getting those issues after a few hours. Do you have any further ideas?

    Best regards, Alex

    Thread Starter wci

    (@wci)

    P.S. I’ve additionaly deactived the plugins
    – Foo_Plugin,
    – easy-noindex-nofollow and
    – Contact Form 7 Datepicker

    I hope this will maybe help too as those were mentioned within the wordfence security report.

    Hi, Alex. First, I hope you had a great holiday w/your family, & that you’re staying well & safe. & wishing you all the best for 2021.

    If I suspect a site compromise, then 1 of the things I do is to scan using Wordfence, w/the following options all checked. You will likely want to uncheck some of these when you’ve finished, so please make note of the options that were initially unchecked so you can go back & uncheck them when the scan is complete.
    * Scan core files against repository versions for changes
    * Scan theme files against repository versions for changes
    * Scan plugin files against repository versions for changes
    * Scan wp-admin and wp-includes for files not bundled with WordPress
    *Scan for signatures of known malicious files
    * Scan file contents for backdoors, trojans and suspicious code
    * Scan file contents for malicious URLs
    * Scan posts for known dangerous URLs and suspicious content
    * Scan comments for known dangerous URLs and suspicious content
    * Scan WordPress core, plugin, and theme options for known dangerous URLs and suspicious content
    * Scan for out of date, abandoned, and vulnerable plugins, themes, and WordPress versions
    * Scan for admin users created outside of WordPress
    * Scan for unauthorized DNS changes
    * Scan files outside your WordPress installation
    * Scan images, binary, and other files as if they were executable.

    Let’s do the Wordfence scan w/those options checked & please include the report in your next reply.

    If the report appears to show no evidence of a site compromise, (that still doesn’t eliminate the possibility, btw), then we’ll move onto addressing the possibility of database corruption.

    Sound like a plan? If so, then let’s rock!

    Thread Starter wci

    (@wci)

    Hi Abletec,
    thanks again for your helping advice. OK let’s proceed…

    Also strange is, each time after the strange thing has happened of missing content, and trying to login to the backend I am getting the info from wordpress to update the database. Screenshot > https://www.screencast.com/t/pWLk2KpL

    My routine is to
    – do the database upgrade
    – re-change authorization key of the profitengine api code (as the old key is activated instead of the new key)
    – re-import “wp_xyz_ihs_short_code” database table settings

    Please find here the wordfence activity log after the scan process
    > https://www.2share.info/?_wfsf=viewActivityLog&nonce=107bf66eac

    Best regards, Alex

    Hey Alex? Your log isn’t viewable–it just redirects to homepage. Could you possibly do a Pastebin or similar? & did you check those Wordfence options I suggested when you did the report?

    Thread Starter wci

    (@wci)

    Hi again,

    I’ve done a news scan and copy/pasted the log into the dropbox as word file.

    Please use this link to see the log file entries

    Best regards, Alex

    Alex, can you please explain to me why your site url is reported in the Wf log as:
    http://url2768.2share.info
    ? What’s the url2768?

    This is particularly troubling since the url I just queried you about is http://, but when I go to your site, the protocol is https. Looks like you might have 2 database table prefixes in 1 database, & you’re installing your plugs, etc, to the wrong 1?

    Thread Starter wci

    (@wci)

    Hi Abletec,

    well I am not 100% sure what you mean.
    In the settings in WP backend the domains are set as
    WP URL: https://www.2share.info
    Site URL: https://www.2share.info

    Domains are forwarded from http:// to https://
    as I am using also the plugin
    https://wordpress.org/plugins/ssl-insecure-content-fixer/

    As all 2share.info domain requests are forward to https://www.2share.info
    it seem all is working perfect.

    Please give me a feedback if that is what you wanted to know or define what you need with more details.

    Have a nice weekend so far.
    BR, Alex

    P.S. within wp-config the DB Prefix setup is:
    $table_prefix = ‘wp_’;

    • This reply was modified 1 month, 2 weeks ago by wci.

    Alex, when I do a Wordfence log on my site, it starts out like:
    site: https://www.brightstarsweb.com/wordpress

    Yours starts out as:
    site: http://url2768.2share.info/
    so that is what, evidently, your Wordfence views as your site url. This is what I’m asking about. Do you have any insights into this? It surely doesn’t look right to me whatsoever.

    Thread Starter wci

    (@wci)

    Hi again Abletec,

    you are write. The site url: http://url2768.2share.info is strange and I did not setup this in my backend. Also I cannot find any entry in the database of “url2768.2share.info” or “url2768”.

    I am still confused and want to know how we can proceed to solve this.

    Best regards, Alex

    Thread Starter wci

    (@wci)

    Hi Abletec, are you still with me?
    BR, Alex

    Thread Starter wci

    (@wci)

    Dear Abletec,

    Just for info,

    The strange thing is, after a few days the site seems to work unexpectedly proper well.If just checked and found the proper site approach.

    The only thing which was suspect that I each time in need to update the database before I log in into the backend. Screenshot: https://www.screencast.com/t/gDlP7nBNta

    I hope this will also help to solve the issue.

    Best regards, Alex

    • This reply was modified 3 weeks, 3 days ago by wci.
Viewing 14 replies - 1 through 14 (of 14 total)
  • You must be logged in to reply to this topic.