Unauthorised alteration to site

The code may have been inserted in your footer. I would check footer.php for something that looks like this (I removed the actual link and text of the link):

<center><a href="******">******</a></center>
<center><a href="******">******</a></center>

I would also carefully follow this guide for a hacked site. When you’re done, you may want to implement some (if not all) of the recommended security measures.

Please let me know if you have any specific questions.

Thank you for the insight. I have a question regarding the footer.php

Is this code situated in the theme options? Because I cannot detect any line containing malicious code.

There are two links under the wrapper div which are wrapped in these tags: <center></center>. The have the links inside them.
You need to upgrade whatever security you have with a security plugin: https://en-ca.www.ads-software.com/plugins/search.php?q=security

In your Dashboard > Left menu go to Appearance > Editor.
On the right side, look for “Theme Footer” – it will have footer.php underneath it.
You should find the code there.
If not, let us know.

I cannot find any bad code. Here are the files i found called “footer.php”
My theme is Virtue Premium if that helps.

Virtue – Premium: footer.php
https://dpaste.de/LRpb

Virtue – Premium: footer.php (templates/footer.php)
https://dpaste.de/Ninf

When using my dev tools, I see them under the bottom of the wrapper.

Go to your site front, right-click and “view source”, scroll to the bottom and you will see the two links just below “</div><!–Wrapper–>”

You can right-click on either of the links and see the html of the code.

Either you or the techs at your host should scour your files for files named promo.php

Does your theme have a place for you to enter scripts at the header or footer of the page? It could be hiding in there too. Since this is a premium theme, you could also try their support forum and see if anybody has any ideas where the content is coming from.

I have recently had my site altered from an unknown source and now I have two links which appear on every page. Is there a way to remove them?

*Looks. Looks again. Sees premium theme at https://kandykids.net/wp-content/themes/virtue_premium/style.css and gets more coffee*

There’s 2 possibilities here. Maybe a third. ??

1. You’re hacked. Possible, but it’s a weird hack that just does that. I mean, just 2 links? That’s am awfully polite hack.

2. You’re using a “nulled” theme, meaning you’ve obtained a “premium” theme from someone else besides that theme author and the thanks you’ve gotten from that site was those 2 links.

Item #2 happens all the time and usually it is not just links you need to worry about. It’s all the really bad things that accompanied that theme that quietly steals your passwords, etc. that you really should be worried about.

Just in case the premium theme is the culprit I am pinging @britner who is the theme author for Virtue. Perhaps there’s a problem with the theme you purchased from that author?

Hearing from the theme author directly may help.

Regarding #2:

I am certain I downloaded the theme from the official page. I cannot see how it could have been hacked unless there is a security hole. I have installed wordfence to help increase security also, it detected a few files which were malicious but the links were still there.

Check your functions.php, in fact it could be any since a hacker could write any code in any file and hook to wp_footer for it to appear in your footer.

It does not necessarily neeed to be footer.php

Can you log into the theme author’s site and download a fresh unvarnished copy? What did the author say when you asked for support?

I cannot see how it could have been hacked unless there is a security hole.

Then it may be option 1. If so them you need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

Hey,
Theme Author, sorry about the delay. I can assure there are no links in the theme.

You can download a clean copy of the theme here: https://www.kadencethemes.com/my-account/

pacebrian0, If you have the premium you can use the support forums here: https://www.kadencethemes.com/support-forums/forum/virtue-theme/

Kadence Themes

Well, I don’t think this is something theme-related since changing the theme does not remove the links.

I have deleted wp_includes and wp_admin and replaced them with a new files from wordpress. The links are gone, however, I am getting an error regarding defines.php, which I think it is being referenced from wp_config.php.

This is the error:

Warning: include(/home4/mysite/public_html/wp-includes/Text/Diff/defines.php): failed to open stream: No such file or directory in /home4/mysite/public_html/wp-config.php on line 65

Warning: include(): Failed opening '/home4/mysite/public_html/wp-includes/Text/Diff/defines.php' for inclusion (include_path='.:/opt/php54/lib/php') in /home4/mysite/public_html/wp-config.php on line 65

WordPress does not have a defines.php file at that location. This is probably where the attacker left his code. You should edit your wp-config.php file to remove that leftover piece of code.