RL

@wfpeter thanks for the response.

I managed to get it to work, but I didn’t do anything on the WordFence part.

The malware is this. Slightly different in the random string part and (obviously) the encoded file path.

I see it in index.php and wp-config.php first. They are @including different files, where I also see a lot of weird files and folders in the WP installation (in root, wp-includes, wp-content, etc.), where some of them contain similar includes, and others contain completely encoded PHP function(s).

From the other post, I see this happened for at least two years. I can’t (yet) find any other discussions about it, and I’m not that familiar with WP “news”.

So, I finally just fix/clean everything that I can see, manually, where at some point WordFence suddenly works by telling me there are still some 20ish files that are either changed or unknown files in core. Sorry, but I really don’t know what I did. This is one of those times when you don’t know what you did or did not do that fixed a problem.

I finished the cleaning by clicking “delete” and “repair” buttons in WordFence.

Still monitoring the site now to see if any of the malware returned.

Thanks!

• This reply was modified 1 year ago by RL.
• This reply was modified 1 year ago by RL.

I know that even the big ones like Google don’t always adhere to the standards, but it’s likely because there are benefits, like backward, or cross-browser, compatibilities.

What I cannot see, is the benefit Facebook gains from breaking the standards.

They are using non-standard attributes that nobody else is using, while there is actually a way to make it standards-compliant by using the data-* attribute.

Reminds me to the old IE don’t you think?

Yes you can fix it by CTRL-F’ing (the suspected) theme files for the deprecated functions/classes and replace it accordingly.

But I 100% agree about the milk and bloatmaster thing.

Hi @abzlevelup , I never got a response from Support at your site. I sent 2 messages.

TEC in our site is currently not upgraded. We’d like to make sure first if the “direct links will/can only open the Default View” is a feature, before doing changes to our customizations to make it work.

Thank you.

• This reply was modified 2 years, 1 month ago by RL.

Hi @geoffbel thank you for the respond.

I understand that sometimes there are unusually high volumes (or other causes) that prevented the support team to respond in a timely manner.

Also thank you for the WP Engine page, I didn’t know it’s recommended not to cache those files. I’ll make sure to ask their support to add those files to the cache exclusion.

Their cache is indeed a bit aggressive so I often have that control panel page opened when doing development on their server. In this specific problem (and also standard procedure for me) I makes sure to clear specific cache, or all caches, both on me and their side, before deciding that I need to go to the next troubleshooting step.

Thank you.

• This reply was modified 2 years, 1 month ago by RL.

@tamirat22,

I was looking to set up SSH access to do that (to make it quicker) when I got notification from the host:

https://wpenginestatus.com/incidents/371898

I did some tests after seeing it and yes 99% chance it is caused by it. I waited and the issue resolved 3 hours ago. Reverted back to PHP 8 and seems like there’s no more problem.

I’m really sorry for all the troubles.

Thank you.

• This reply was modified 2 years, 5 months ago by RL.

Hi, I can’t activate WooCommerce.

Plugin could not be activated because it triggered a fatal error.

And here’s the error:

PHP Fatal error: Uncaught TypeError: in_array(): Argument #2 ($haystack) must be of type array, null given in /nas/content/live/undostaging/wp-includes/functions.php:5834\nStack trace:\n#0 /nas/content/live/undostaging/wp-includes/functions.php(5834): in_array('mod_rewrite', NULL, true)\n#1 /nas/content/live/undostaging/wp-admin/includes/misc.php(17): apache_mod_loaded('mod_rewrite', true)\n#2 /nas/content/live/undostaging/wp-admin/includes/misc.php(267): got_mod_rewrite()\n#3 /nas/content/live/undostaging/wp-includes/class-wp-rewrite.php(1874): save_mod_rewrite_rules()\n#4 /nas/content/live/undostaging/wp-includes/class-wp-hook.php(307): WP_Rewrite->flush_rules(true)\n#5 /nas/content/live/undostaging/wp-includes/class-wp-hook.php(331): WP_Hook->apply_filters(NULL, Array)\n#6 /nas/content/live/undostaging/wp-includes/plugin.php(474): WP_Hook->do_action(Array)\n#7 /nas/content/live/undostaging/wp-settings.php(609): do_action('wp_loaded')\n#8 /nas/content/live/undostaging/wp-config.php(128): require_once('/nas/content/li...')\n#9 /nas/content/live/undostaging/wp-load.php(50): require_once('/nas/content/li...')\n#10 /nas/content/live/undostaging/wp-admin/admin-ajax.php(22): require_once('/nas/content/li...')\n#11 {main}\n thrown in /nas/content/live/undostaging/wp-includes/functions.php on line 5834, referer: https://undostaging.wpengine.com/wp-admin/admin-ajax.php?action=tribe_process_async_process_support_test&nonce=9176001791

Hi,

I removed all plugins including the must-use and drop-ins ones, in a staging site:

https://undostaging.wpengine.com/shop/

The text tab in wp-admin/plugins.php now reads:

All (53) | Inactive (53) | Recently Active (2) | Auto-updates Disabled (53)

Theme also changed to Twenty Twenty-Two.

WordPress is updated.

Still, if I click Activate, the error will come up.

I found out that the errors also came up on some other plugins (but not all).

Another direction will be very appreciated.

Thank you.

• This reply was modified 2 years, 5 months ago by RL.

Hello,

I see, thank you very much to both of you.

@cacabe this card testing thing aren’t just in WordPress. Basically you have a list of card details. You then verify them by using it to buy something cheap in hoping that the real owner won’t notice if it does get through. You set a bot to mass-test the card details against ecommerce sites.

Some automated bots might search and “work” on woocommerce checkout pages by itself so once you disable the blocking you’ll see them checking out again.

@wigmore , I currently just modify the first & last name field to match my bot and it effectively stopped them. Before, there was like 100+ checkouts every 10 hours or something, in the past 3 days.

I’ll let you know if I come up with something else, or if my site is targeted by a smarter bot.

Ah I see. Okay, I thought it has a set of names in regex or something. I’ll see if I can modify it a little to also catch my specific spam.

I prefer your simple approach than installing or paying a large-complex plugin. Too bloated.

Hi @wigster ,

Do I have the correct plugin? Only 2 files in my /wp-content/plugins/block-specific-spam-woo-orders

readme.txt and woo-block-spam-orders.php that only blocks bbbb and abbuzz.com.

Hi, I installed it a few days ago and tested reverting the “Allow users to switch editors” to No. I confirm there’re no more problems.

Thanks!

Aah okay, that works! ??

Thank you!

Hi @juanfra,

“Enable New RSVP Experience” & “Enable Updated Tickets Experience” tested checked and unchecked, same result.

Currently both of them are checked.

• This reply was modified 2 years, 9 months ago by RL.