Found text string added to URL- no page created

What is the name of the domain?

www.xxxx.com/?s=Free+PDF+Quiz+Amazon+-+SOA-C02+-+AWS+Certified+SysOps+Administrator+-+Associate+(SOA-C02)+Fantastic+Pass+Rate+🌎+Search+for+{+SOA-C02+}+and+download+it+for+free+on+➀+www.pdfvce.com+⟘+website+đŸ±SOA-C02+Certification+Exam+Dumps

What is the error number?

No Error Number

What is the error message?

None

What is the issue you’re encountering

Can’t Where to Remove This URL injection, it is a wordpress site

What steps have you taken to resolve the issue?

Searched through files via SFTP, nothing. I was thinking it could be in the htaccess?

What are the steps to reproduce the issue?

none

That’s a standard WordPress search string.

I can’t say what’s behind this weird search query
 but I’m curious why you’d think this has anything to do with Cloudflare at all. Your .htaccess file is something with your host, not Cloudflare.

It is attached to our domain name and shouldn’t be there. It is shown as a page in the Google Search Console. Malicious injection, is just looking for the best way to find and remove.

I’d suggest a fast fix to temporary create a WAF rule to either Block or Challenge any request trying to use the search your WordPress website where URI Query contains s= for everyone.

Double-check and see how you’re passing the string for search (if you’ve codded your theme) and if it’s escaping some strings, trimming, etc.

Furthermore, check the Security → Events if the requests are still coming in.
Track & trace a bit, block by the IP address or user-agent string if you suspect this to be some kind of an attack.

You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered.

Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version 
) and create WAF rules according to it for protection.

Obviously your search isn’f filtered if anyone could enter this :thinking:

Consider scanning your WordPress website for any possible malicious code or malware with Malcare, Wordfence, Sucuri or some other plugin for security.
Check comments, posts and pages, users for any unknown.

1 Like

Sorry I wasn’t very specific with my response.

The ?s= is specifically the WordPress search parameter. So blocking this effectively blocks searching on the site.

If you have a small business site with only a handful of pages that doesn’t really need search, this should be an effective solution. But If your site is a blog or a large site for which search is essential, you’re going to get a lot of angry users (if your users are as vocal as mine are :smiley: ).

If you’re letting Google index your site’s internal search results pages (malicious or benign), you’re doing it wrong and you need to fix that.

2 Likes

Great- thanks for the help!

1 Like