chris-lightningbase

@davil2008 The only we fix we found was to disable one of the two plugins. I wouldn’t be surprised if some older version combination of Yoast SEO/Subscribe to Comments Reloaded works, because I think they worked together at some point in the past. But that isn’t an ideal fix and isn’t something we’ve tested – it could be something to try temporarily if this is critical for your site though.

Hi @davil2008 @wpkube –

I see it’s been a few days since this was updated, but we had a client that may have been seeing the same problem and got a bit further in identifying it. We were getting PHP memory errors regardless of settings – a 5 GB PHP memory limit wasn’t enough to get the ‘You can also subscribe without commenting.’ link working.

In our client’s case the issue is specifically when the Yoast SEO plugin is active. We were able to reproduce this with a default WP install by installing Subscribe to Comments Reloaded and Yoast SEO. Clicking the link for ‘You can also subscribe without commenting’ caused the page to spin for quite a while before erroring with an out of memory error.

I’m not sure if Daniel here had Yoast SEO installed or if this is something the plugin author can easily troubleshoot, but hopefully this helps.

Awesome, thanks!

We were just noticing this same problem – there have been a couple updates in the last few hours (2.11.2 and 2.11.3: https://github.com/johnbillion/query-monitor/blob/master/changelog.md ) and I think one of these caused this, at least for some installs or possibly just new installations of the plugin.

On the WP instance we’re working on, I’m seeing a fresh install of 2.11.1 work. You can download that here: https://downloads.www.ads-software.com/plugin/query-monitor.2.11.1.zip

This is an issue with a new header Chrome is sending. WooCommerce fixed it in an update, or there are some options for adding code to your functions.php or .htaccess to remove the header – see this thread: https://www.ads-software.com/support/topic/site-broken-in-chrome-ssl-issue/page/3?replies=68

Just a quick update, as we’ve been helping some clients with this as well – if you’re not updating WooCommerce another fix is to add this to the top of your .htaccess:

# BEGIN Resolve Chrome Issue
RequestHeader unset HTTPS
# END Resolve Chrome Issue

The Chrome devs are aware of this issue (it’s causing problems for many sites, not just those using WooCommerce) and I believe it will also be fixed on their end by changing the name of the header in a coming upgrade.

A lot of these reports sound like what we saw as well. For those of you that don’t have revslider on the site, realize that once a hacker has access to a standard hosting account they can access every single site under the account. A better setup is to have these isolated but that’s not how it is often configured.

Also, revslider may exist inside a theme directory. You need to either really dig through things or run a search for rev slider (if you have shell access,
find . -name “revslider” -type d
when in the site’s wp-content directory).

That all assumes revslider is really the root cause, but we’ve looked closely through the logs for one site and I’m pretty sure it was in that instance.

In addition to the other files mentioned in this thread, please check your /wp-content/plugins/cached_data/ folder. I haven’t personally seen a huge number of these attacks, so I don’t know how common it is. But we have seen that folder created, with a back door, mass mailing script, and some other junk in it that needs to be removed.

Was there anything in your /revslider/temp/update_extract/ folder?

The site I’ve seen infected with this was compromised via revslider, or at least that’s how it looks. It was running a very old version, I don’t know at this point if that’s how everyone is infected or if it varies. Revslider can be at /plugins/revslider/ but can also be buried inside of your theme if it includes the slider itself.

I believe the attacker is able to upload a file into /revslider/temp/update_extract/, and then open that file up to compromise the site.

For those of you that are seeing this problem, do you have revslider somewhere on the site? I would take a look at the /revslider/temp/update_extract folder (and the folders inside it) to see if anything looks suspicious. The file we found had an innocuous name, but opening it up was it obfuscated and clearly a malicious file. You can also open up your access logs and see if someone is accessing files that include ‘update_extract’ in the URL.

What error are you seeing? I believe that if you’re getting a warning that “Attackers currently on soaksoak.ru…”, it may resolve itself immediately when the references to soaksoak are removed.

But if you are seeing something like “Attackers currently on yoursite.com…” (using your actual domain name), then you’ll need to submit a malware review request to Google: https://support.google.com/webmasters/answer/163633?rd=1

I’m not sure that’s the difference, but I believe the problem may be that if you’re getting the soaksoak.ru message, Google hasn’t identified your site as problematic, Chrome just sees content from soaksoak.ru, which it knows is bad. But if you’re seeing the message about your site, then Google has determined your domain is regularly serving this content and you need to do the malware removal request.

From what I’ve seen, when this is fixed it immediately removes the warning from Chrome – not sure if that is 100% consistent, but it was in my test (make sure you do a CTRL-F5 hard refresh on your browser or clear your browser cache).

You can also check by running something like a https://webpagetest.org test on your site – look to see if it is loading any content from soaksoak.ru

I’d suggest completely deleting your /wp-admin/ and /wp-includes/ directories and replacing those with fresh copies direct from www.ads-software.com.

A couple other things to look for:

– Do you have revslider installed? Look at the contents of /wp-content/plugins/revslider/temp/update_extract/ – I’ve seen an instance of this being the hack’s source. Removing those files and putting permissions on the /revslider/temp/ folder that prevent it from being modified might be a good idea.

– A folder /wp-content/plugins/cached_data/ – that likely does not belong, and it looks like it may have been where some of the files were placed while the hack was being performed. A bulk mailing script also was sitting in that folder.

I know this is a really delayed response… but for anyone else that runs across this question, I’ve seen this issue due to Mod_Security.

Ask your host if that could be the problem. I believe the rule in question is 950004.

Chris

Glad you found an answer!

Chris

I would try using W3 with the page cache enabled to “disk enhanced.” Disable all other caching options. Some of the settings can cause problems in various hosting environments.

If this is still slowing down your site, total cache is not actually working for some reason. If it makes it better, than you can gradually re-enable the other options until you find the issue.

A couple ideas:

Disable your plugins/theme one at a time until you see the response time improve.

If your hosting allows multiple sites, you could setup a blank site and see if it is slow – if so, there’s probably something wrong with GoDaddy’s server.