g0tr00t

I think you have to contact their email address from the plugin instead of the live chat

@bigbabol1981 Hi. Do you run ads on your website? There’s an ad using the following styling:

<img style="width: 0; height: 0; display: none; visibility: hidden;

This is what is causing the warning.

@monclee Sorry you experienced that! I will reach out to Sucuri and see if details on removal can be added to their support page for the plugin here: https://sucuri.net/guides/how-to-use-the-wordpress-security-plugin/

Thanks!

@mapo85 That’s okay, just “Mark as Fixed” from the dropdown for licenza.html.

@mapo85 That one is safe to delete too ??

@mapo85 The php_errorlogs are safe to delete, but I do not know the contents of licenza.html so you would need to inspect it and determine if it is safe or needed by your website.

@monclee You don’t receive any error like:

Error: The password you entered for the username admin is incorrect. Lost your password?

If not, what happens when you press “Log In”?

@monclee What error do you get when trying to log in through wp-admin after renaming the /wp-content/plugins/sucuri-scanner/ directory?

@mapo85 ver.php shouldn’t exist by default for the WordPress installation, so I would back it up and remove it.

Yes, for index.php and wp-setting.php you just need to click the checkbox and then select “Mark as Fixed” from the menu at the bottom, click the confirmation checkbox, then click the green “Submit” button.

@mapo85 Thanks!

For index.php and wp-settings.php, you can just copy the correct code from WordPress: https://core.svn.www.ads-software.com/tags/5.4.2/

The ver.php and wordfence-waf.php were not found in standard locations and may be infected as well.

If you do not use user.ini files for PHP settings – then you should be able to safely delete those two user.ini files (I suggest backing up everything before making any of these changes)

@mapo85 Sorry for the delay.

Can you show the actual core file names that are reported as modified and the contents if possible?

Also, what signs did you see that told you the website was hacked? There could be a backdoor within the database that is being used and so restoring just the files wouldn’t remove it and the attacker could again modify the core files.

@mapo85 Can you take a screenshot of what it says was modified? I believe technically they were modified if you restored the files, so as long as they don’t contain any malware then it should be fine to clear the warning.

@cliffyb no a SSL wouldn’t help with this issue ??

@cliffyb It looks like it only triggered the redirect for me for requests using Googlebot user-agent AND a referrer URL from google.com:

#curl -sD – -L -A “Mozilla/5.0 (compatible; Googlebot/2.1; +https://www.google.com/bot.html)” -e “https://google.com/images/” “www.handcosteopathy.co.uk”

HTTP/1.1 302 Moved Temporarily
Date: Fri, 22 May 2020 13:37:24 GMT
Server: Apache
X-Powered-By: PHP/5.6.39
Location: https://www.[sneaker spammer instead of your website].com

You can try to find an online website that lets you submit curl requests if you don’t have a terminal setup on your device.

Also, until you resolve the security issue that is being exploited then there is little benefit to gain from cleaning (or attempting) the website – it will just be reinfected until you close the hole.

@itsthea You will need more access privileges in order to be able to clean and secure the website.