Two Headers

Are you using a child theme?

Has your site been hacked? Did you really mean to include this code?

<div class=ahq5>Apply here <a href="https://indipaydayloans.com/">payday loans</a> 100% secure</div>

Hey. I am using Organic theme.

No obviously I didn’t mean to include that code, how did it get there and where is it?

Any idea how to remove the 2 headers?

Thanks!

If you didn’t intend to include that code, it’s possible that your site was hacked and the two issues are related.

First thing to try:
Deactivate all plugins, refresh browser and server cache, and see if issue goes away.

Second thing to try:
Try switching to the default 2012 theme to see if issue goes away.

If not, your site may be hacked. The following will be of some use to you:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Where is the code located that you are seeing this link added? I do not seem to be able to find it.

Thanks!

Here:

<div id="header">

        <div class="headerlogo">
            <h1 id="title"><a href="https://www.grindtherake.com/" title="Home">GrindTheRake</a></title><style>.ahq5{position:absolute;clip:rect(479px,auto,auto,435px);}</style><div class=ahq5>Apply here <a href="https://indipaydayloans.com/">payday loans</a> 100% secure</div><a> </a></h1>
        </div>

    </div>

I see.

Strange I can not find it in my Header inside wordpress

Use your browser’s “View Source” function. It’s not in the core files.

this must be a hack that’s going around, i have it too! ugh. i’m using the “corner” theme and it only shows up when i’m not logged in, if i’m logged in i can’t see it. it’s very annoying.

the hack even shows up on the wp-login.php page, currently trying to find it

okay, one weird thing about it.. if you goto your login page, don’t type anything and then click “log in”, it goes away. but then when i clear my cache it’s back. hmmm. interesting.

@velvetcrayon I had the same kind of issue but somehow I managed to remove that spam link. Just paste your header.php code here, so I can tell you how to remove that spammy link.

No don’t do that. Playing whack-a-mole with spammy links just wastes your time. Honest.

this must be a hack that’s going around

Maybe but most likely it’s either you are hacked or you’re using a poisoned theme and if that’s the case lose it like a bad infection and delete it.

Seriously, if that’s the case then lose that theme.

the hack even shows up on the wp-login.php page, currently trying to find it

Ah. You are hacked then. You’ll need to delouse your whole installation, just editing the header.php file will 100% NOT work.

You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
https://codex.www.ads-software.com/Hardening_WordPress
https://www.studiopress.com/tips/wordpress-site-security.htm

Good luck.

Sorry, removing the link is only going to fool you into thinking the issue is resolved because you can no longer see it.

You need to start working your way through the resources Jan pointed out.

Please note that if you have been hacked, you have a serious problem on your hands and it’s not worth using shortcut answers. If in doubt, consider hiring someone.

HA! I beat Andrew to the reply!

*Drinks more coffee*

@velvetcrayon sorry for the side conversation ?? but the short of it is please check your installation. We think you’re hacked.

I’ve had a client blog hacked by this same exploit – took me quite a while to find it because I was searching the entire file structure for the tell-tale eval or base64_decode functions that these sorts of hacks utilize. Turns out this one was using strrev to hide itself from just those sorts of broad-stroke searches.

In my site it was actually inserted first thing into functions.php – but if you want to search for it just try searching for strrev or )lave and you should suss out the injected code.

Obviously this only solves the code injection, not how it got there – so make sure to update wordpress and change all of your passwords.

—edit—

This hack also appears to add an option to your database – for me the option_name was {options_names} – I found this by de-obfuscating the injected code and tracing through it really quick to check for any other traces it may have left in my install.