barnez

Most likely to be a plugin or theme conflict. Either create a staging site or install the Troubleshooting plugin, and then disable all the plugins and enable a WordPress stock theme (e.g. Twenty Twenty). Check. The issue should now be gone. Next, enable the plugins/theme one by one, checking each time until the issue appears again, which will indicate which plugin/theme is conflicting.

Have you tried testing with all plugins disabled AND a default theme activated (e.g. Twenty-Twenty-Two)?

That sounds like you would be taking on a whole load of risk (broken image links) for a task that falls outside the original request. I would complete the theme update, and then let them know about the folder archiving issue, including the drawbacks of the current structure vs the potential risks and time required to rectify. For a sneak preview you could clone the site, run one of those plugins, and then pass a broken link checker over the site to see how well the plugin performs.

As I understand you, the site load is being slowed by a plugin (Envato kit), as reported by Google pagespeed. When you reset or disable the plugin, then the site breaks. If this summary is correct, then that plugin is necessary.

If you would like to remove the plugin, then create a staging version of site, find out what functionality that plugin is providing, and then either find a more performant plugin to provide it, or remove that functionality.

Or, post a support request in the plugin forum: https://www.ads-software.com/support/plugin/elementskit-lite/

Good luck!

That 6.3.1 is the issue is a red herring. No one is dismissing your efforts to describe or resolve the issue. However, when you have unauthorised access to the account, then you must resolve that as a priority. There will be a vulnerability somewhere. Are all your plugins maintained with regular updates pushed? Are the plugins and theme from trusted sources? Are you using shared hosting, where an infection can come from one of the other 100s of sites hosted on the server? Might there be malware on your local computer? Do you have correct permissions for important files like wp-config.php?

Try and treat this as a learning experience. Scan the site with Wordfence. Work through the resources linked to above. Seek help if you run out of options. Then, when your site is clean, work through this resource: https://www.ads-software.com/documentation/article/hardening-wordpress/

If, on the other hand, you have identified vulnerable code (not behaviour) in WordPress 6.3.1, then you should report that here.

WordPress 6.3.1 is secure. Over 50 million downloads/updates have occurred, with no widespread issues reported such as you have described. The problem is therefore specific to your environment. You’ve been hacked, which is usually due to running outdated or insecure plugins/themes/php or using weak passwords. Work through the resources linked to above, or seek professional help. Good luck!

Try running this plugin: https://www.ads-software.com/plugins/code-profiler/

Code Profiler helps you to measure the performance of your plugins and themes at the PHP level and to quickly find any potential problem in your WordPress installation.

Yes, when I add a new page and check, I can see the CSP in the response header (link). The site is hosted on a Linux server, and the CSP is added via the .htaccess file.

If I add your CSP to the .htaccess file of a test WordPress site (6.2.2) with the Gutenberg editor, when I click on “Add New” in “Page” tab, no error occurs and a new page is opened. The same outcome with “Add New” in the “Post” tab. Do you have any MU plugins installed?

What happens if you disable all plugins and activate a stock WordPress theme (e.g. Twenty-Twenty-Two)?

Try using a tar to zip converter e.g. https://cloudconvert.com/tar-to-zip

Also keep in mind that to fully restore the site, the backup must contain an .sql file for the database.

Try working through this list: https://hoolite.be/wordpress/how-to-fix-scrape-key-check-failed-error-in-wordpress-theme-editor/

Unless you are confident with rummaging around in the control panel and able to notice directories, files or code within files that looks dodgy, then you are going to need some external help.

I’ve not used sitelock, but believe that it is an automated scanner and malware remover that hosts often enter into an agreement with.

My preference would be for a human to look, diagnose, repair, and lock down to prevent future re-infection. Check out the hack repair guy, wp fixit, or wordfence, for example.

Good luck!

The theme is GeneratePress, so try posting in their support forum: https://www.ads-software.com/support/theme/generatepress/

As an aside, you might try setting up an FTP client like Filezilla or WinSCP so you can edit files directly, without the risk of losing access to the WordPress back-end if an error is introduced in a theme/plugin/WordPress file.

Read here about how to set up Flamingo, especially if you use non-standard form tags https://contactform7.com/save-submitted-messages-with-flamingo/