WordPress.org

Forums

Suspect malicious script injection - three blank lines at top of HTML (13 posts)

  1. Andrew Areoff
    Member
    Posted 2 years ago #

    I suspect someone has injected a malicious script into my website and is using it to send out spam emails.

    I spoke to my hosting company and they alerted me to three blank lines at the top of my HTML output - they said this could point to a script having been placed on my website.

    Can anyone help with a) the best way to check if my site has been compromised b) how best to fix it c) If the blank lines at the top of the HTML output do indeed suggest that my site has been hacked.

  2. esmi
    Forum Moderator
    Posted 2 years ago #

  3. Andrew Areoff
    Member
    Posted 2 years ago #

    Thanks for these resources. I checked the site with : http://sitecheck.sucuri.net/scanner/ and this said the site was clean.

    I have WSD Security Scanner plugin on the site but that doesn't really tell me much so I installed Better WP Security plugin - can anybody recommend a good security plugin that might help detect any issues/prevent future problems?

    Thanks
    Andrew

  4. Security based plugins are not a bad idea (I don't use them myself) but that list of additional resources as well as the Hardening WordPress link are good starting points.

    Your best defense will be best practices as well as educating yourself about the risks and mitigations for your installation.

  5. Andrew Areoff
    Member
    Posted 2 years ago #

    Thanks Jan - you are right.

    Is there a manual way I can check if there is a malicious script in place and what's causing the three blank lines of HTML output at the top of my site?

    I've checked the header.php file and the code there starts on line 1.

  6. esmi
    Forum Moderator
    Posted 2 years ago #

    These lines may have injected into one of the WordPress core files.

  7. Andrew Areoff
    Member
    Posted 2 years ago #

    Does that mean a malicious script of just spacing in one of the wordpress core files?

  8. Andrew Areoff
    Member
    Posted 2 years ago #

    I just installed Theme Authenticity Tracker plugin and it flagged this up:

    [Base64 code removed.]

    It's on the WP Skeleton Theme and it is present in their original theme which I just checked.

    Is this anything to worry about? I've been looking this up and some people are saying it can be used to launch malicious scripts!

  9. esmi
    Forum Moderator
    Posted 2 years ago #

    It does look like you've been hacked. Please follow the advice at the pages listed above.

  10. Andrew Areoff
    Member
    Posted 2 years ago #

    But this code is in the original theme that is downloaded from the Skeleton WP theme website from simplethemes.com

  11. esmi
    Forum Moderator
    Posted 2 years ago #

    I would strongly recommend that you read this article and get rid of that theme asap.

  12. Andrew
    Nuh uh moderator
    Posted 2 years ago #

    Otherwise contact your theme's vendors for support.

Topic Closed

This topic has been closed to new replies.

About this Topic