Problem in footer of every WP website since this weekend

  • laurenl

    (@laurenl)


    14 years ago

    My websites were all fine up until today. Now every WP website I run on the same bluehost web hosting has what seems to be malware or hackers coding with text and links pointing to prosoftwarestore.com on/below the footer of all home pages and some websites have this coding on the footer of other pages and blog posts. How do I remove this? I am not a techie – that is why I used the Themes I used to create these websites in the first place.

    For example, see examples of this below the footer of these sites, only 2 of many I run:

    https://www.blackfridayreminder.com
    https://www.internet101media.com/

    I have no idea how to remove this using the FTP or other methods. I know how to get into the FTP but I don’t know what to do when I get there. I have seen other “fixes” posted for these “types” of problems but nothing for my exact problem, even so, I don’t even understand what they are talking about.

    If someone can tell me what to manually do in the FTP, I’ll do it. But I know nothing about exporting data, backing up data or running scripts.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter laurenl

    (@laurenl)

    In addition, I do see the infamous eval(base64_decode string in my index.php (and maybe other) files…but I don’t see any problem with my permalinks, nor do I see any additional “users” other than myself, even in the source code.

    Moderator James Huff

    (@macmanx)

    It’s a code injection attack.

    What happened is that a hacker either compromised an account on the same server as you, or simply opened an account on the same server as you. The hacker than ran a simply script to inject the code in all .php files (like your templates) across the entire server.

    It’s a weakness in most shared hosting setups.

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter laurenl

    (@laurenl)

    Thank you! One thing. When I go to change the MySQL user passwords, there is no way to do that without completely deleting the user. Is that what I need to do?

    Moderator James Huff

    (@macmanx)

    I’d check with your hosting provider first, you should be able to change the password.

    ishan001

    (@ishan001)

    Grr! Seems like my sites on Hostgator are also compromised! A major attack on WordPress, I guess.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Problem in footer of every WP website since this weekend’ is closed to new replies.