starapple

@kushnamdev, thanks for your reply that horrifies me that WordPress allows the installation of plugins without express approval. This opens the door for all sorts of malicious activities.

I have already disabled Optimole and will now completely remove it from my site. I will also remove whatever else might have installed it–if I can identify the culprit plugin. I hope it wasn’t Jetpack.

@greldon7, check out this link. It helped me a lot in solving my problems: https://tools.letsdebug.net/. Use the Let’s Debug link on the page.

• This reply was modified 1 year ago by starapple.

Hi @markwolters, the plugin does create the folder with the file in the default location. However, OpenLiteSpeed and Cyberpanel create the folder and challenge in a different location and possibly sets a map that redirects example.com/.well-known/acme-challenge in the browser bar to a different path on the server. If I chose to access the default location say /path/to/root/html/.well-known/acme-challenge, with Really Simple SSL, I would have to change the OpenLiteSpeed virtual host directive related to Let’s Encrypt.

Bottom line is that I have to confine SSL installation and management to the panel/server rather than involving the plugin for a simple life.

Thanks for your help so far.

• This reply was modified 1 year ago by starapple.
• This reply was modified 1 year ago by starapple.

Hi @markwolters,

Thanks for your response. I had set the directory permission to 755 but as I mentioned to my last reply to @greldon7, it seems RSS is not the problem. In my case, the mapping to the document root seems to differ from the site’s pages and the .well-known location.

RSS did create the folder in the root directory and created the txt file but it seems the Cyberpanel and OpenLiteSpeed combination looks for example.com/.well-known in a different server path.

@greldon7, what web server are you using and any control panel? In my case, the mapping to the document root seems to differ from the site’s pages and the .well-known location.

At any rate, your problem seems to have been solved as I can see your text file by following the link in your post.

• This reply was modified 1 year ago by starapple.
• This reply was modified 1 year ago by starapple.

Thanks for your reply @wpzainab. I am not sure we are talking about the same thing. I was not trying to edit one of my pages. I was trying to customize the pulgin’s page that is shown when the site is being maintained. I was using the Customizer before putting the site in maintenance mode.

When the Customizer opens, the left panel displays but where I assume I should be able to view any changes made, I see a 404 error page. I inserted my own image from the left panel and applied the change but when I click the link to make further changes in the block editor, there is no page to edit.

When I put the site in maintenance mode from the plugin’s set up I do see the page I go to the site as a logged out user.

Anyway, I deactivated the plugin and installed one that gave me more options in controling the text content, although I can’t change their image.

Does anyone know if this malware is targeted only at WordPress sites? It would seem so to me. I have WordFence installed an it made no difference in terms of preventing the hack.

• This reply was modified 1 year, 2 months ago by starapple.

Thanks @sterndata. What made you suspect that the homepages had been compromised?

@sterndata I am guessing that’s a sign of having been hacked? I delete the line and the site loads in the browser.

@sterndata, I see a line at the top of each index file: $O00OO_0_O_=urldecode xxx….

A long encoded line follows that will not be accepted by this form.

Thanks for your suggestion @wfpeter. I will add the reCAPTCHA presently. I believe it is one person working his butt off trying to gain entry because of the frequency of the usernames in each cycle of attacks. They change their IP but give each username a few tries.

I’ll read that article because I ask myself the same question.

Mark.

The latest examples (highlighted) of the same username coming from different supposed countries only seconds apart:

“The last username they tried to sign in with was: ‘Support‘.
“The duration of the lockout is 2 months.
User IP: 13.237.17.8
User hostname:?ec2-13-237-17-8.ap-southeast-2.compute.amazonaws.com
User location: Sydney, New South Wales, Australia“

(2) “The last username they tried to sign in with was: ‘Support‘.
“The duration of the lockout is 2 months.
User IP: 52.66.170.70
User hostname:?ec2-52-66-170-70.ap-south-1.compute.amazonaws.com
User location: Mumbai, India“

And then I get a report about all the IPs blocked by country.

@threadi I’d think it was a solely heredoc problem if I had not had the same problem when I just called the function outside of that context and got no output to the screen and no error message. Remove function getnews() {} and the output prints to the screen.

@ajtatum, It will not work with PHP8. I recently contacted them by email about this and got the folliwing reply three days ago: “We will make the compatibility with PHP 8 in the next update.”

Thanks again @threadi. It was right there in plain sight:

$updated = $wpdb->update( $table, $data, $where );

if ( false === $updated ) {
    // There was an error.
} else {
    // No error. You can check updated to see how many rows were changed.
}