MarkMadeDesign

Thanks again for tracking that down. It’s a custom theme that’s very simple at first and I don’t have many plugins installed at the moment so I’m confused. I was looking for some added image code earlier when I was troubleshooting and missed over this but it’s nothing in my theme that’s causing that.

Are you sure it’s nothing with the WordPress defaults or the Visual Portfolio causing that? Something w the Gutenberg editor because I rarely ever use that and implementing on this site? Thanks.

Thanks for such a quick response. Unfortunately my site is under development and “hidden” with a Maintenance plugin but I have temporarily taken it down for you to preview the gallery in question (link below).

https://edgedistrictva.com/eat/

If you can’t check it within a couple hours or so, I need to reactivate maintenance and find another way to share. Thanks!

It’s a custom theme that’s actually a child theme pulling from the TwentyTwenty theme. List of active plug-ins below. Thank you!

Advanced Custom Fields
Classic Editor
CoBlocks
Contact Form 7
Select Flamingo
Flamingo
GA Google Analytics
Insert PHP Code Snippet
Maintenance
ReCaptcha v2 for Contact Form 7
s2Member Framework
Sabai Directory
Sabai Google Maps
Shortcodes Ultimate
Slider Revolution
Sucuri Security – Auditing, Malware Scanner and Hardening
UpdraftPlus – Backup/Restore
WordPress Simple HTML Sitemap
WP101 Video Tutorials
Yoast SEO

• This reply was modified 4 years, 2 months ago by MarkMadeDesign.

@wfdave – Hi Dave, sorry to bug you but I wasn’t sure if you found out anything further on this issue. I have a couple sites that had a theme file flagged with this strange occurrence and just want to know if it’s legit or not. Thanks again!

@wfdave – Thank you. Pastebin link below.

https://pastebin.com/afsvQNDP

The random code doesn’t show when hit view file in WF scan, copy and paste but after another scan, still getting flagged.

Thank you @wfdave! I’m going to have this bit of code removed from the footer.php file since we don’t have Google ads running for this client.

Can a hacker use this for anything malicious? Just trying to figure out why / how it got there.

Thanks @orgy-of-life !

When you say “scan” do you mean Wordfence scan and if so, did you simply re-install it back on the site it was deactivated from, with no problems? I did remove this random Matt admin user from the 4 sites I was notified about, with no issues. Just want to get Wordfence back up on the sites so I can scan like normal.

So I came across this topic after the same issue happened to me, but it just happened to me on 4 of my client sites. Same username of “Matt” but slightly different IP from user who posted this (below). I got a Wordfence email saying they signed in as an admin (which they shouldn’t be) and then I got the email saying they deactivated Wordfence.

This is definitely concerning and the one thing I can think of in common with all 4 sites is that they are on a shared server we use to host several sites.

First thing I want to know is:

1. Can I delete the user without expecting any problems?
2. Can I re-install Wordfence without expecting any issues?

Obviously I’m considering some kind of professional malware clean up but unfortunately it’s not on a popular hosting platform like GoDaddy or Bluehost which offers services for malware cleanup.

Any other suggestions? Thanks!

–

A user with username “Matt” who has administrator access signed in to your WordPress site.
User IP: 77.111.247.183
User hostname: 77.111.247.183
User location:

@mplusb – Thank you. So do you know if I install the more recent Final Tiles Gallery lite from the plugins repository, it will conflict with this older paid version I got from Themeforest?

@mplusb – Would it happen to do with the version of the FTG plugin used on this site that’s causing the SSL conversion issues? Is an update or migration to another version possible? I’m using v.3.1.22 from a paid version we bought years ago, but I see the plugin page on Themeforest is closed and not offering updates.

Reason I ask is because I am using the FREE version of this plugin on another site with no problems (v.3.4.17).

Thanks!

Hi @mplusb – Thanks for responding. Unfortunately that did not work, as you can see the link below.

https://hendersoninc.com/portfolio/busch-gardens/

I changed the image size in the FTG settings for the Apollo’s Chariot image, saved, and I see the update image path in the source code but it’s not rendering the “src=” part of the image tag to visually show the image, which the “http” version does.

Any more ideas as to why the img src isn’t rendering? Thanks!

@mplusb – I also tried re-uploading and inserting a new version of the Mach Tower image in this example but it’s still not showing on the secure version of this page.

What’s also odd is that if I try to go into the Final Tiles Gallery settings under the secure version of the WP back end, I get an odd-looking, broken interface unlike the non-secure version. Screenshots attached below. Please also note the older version of this paid plugin in one of these screenshots, in case that has something do with it.

https://cl.ly/13a13ef9f99c
https://cl.ly/1d054f0edede

For my previous post, here’s a screenshot of my attempt to update the image path in the database for an image.

https://cl.ly/305cb4cf5212

Any feedback would be much appreciated as I need to figure out a solution ASAP. Thanks so much!

• This reply was modified 5 years, 5 months ago by MarkMadeDesign.

Hi @mplusb,

Thanks so much for responding. Unfortunately after going into the database, finding those image paths and updating one from the example links I posted earlier (Mach Tower project), it’s still not loading the image on the secure page. After comparing the source code between non-secure and secure page versions, I noticed the secure version is not pulling the second src=”” image path in the image code like the non-secure example below. Just the data-ftg-src=””.

UPDATED
<img class='item' data-ftg-src='https://hendersoninc.com/wp-content/uploads/2016/02/proj-busch-machtower02-400x600.jpg' src='https://hendersoninc.com/wp-content/uploads/2016/02/proj-busch-machtower02-400x600.jpg' />

Any reason for that? Desperately trying not to have to rebuild each gallery (15+) and would much rather revise image paths in the DB instead. Thanks!

• This reply was modified 5 years, 5 months ago by MarkMadeDesign.

Thanks @wfgerald for looking into it. Without hitting “ignore” on all the files I went ahead and updated WP and all outdated plugins on this site, ran a new Wordfence scan and all the flagged files went away. Awesome!

I’ve honestly never used PasteBin before but I gave it a shot. Here’s an example of the wp-adming/js/post.js file.

https://pastebin.com/eWh6nYdx

Got flagged for differences on lines 803-805. If this helps you all, and I should share the the remaining files in question, please let me know. Thanks.