Hi, we have our website with your service and it stopped displaying correctly around 3 PM New York time. It was fine all day earlier. Also, when we tried to login into Wordpress admin, it redirected us to right.trainresister.cc, which of course failed. What happened?
I suggest you use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com. The link is in the lower right corner of that page. Give it five minutes to take effect, then make sure site is working as expected with HTTPS. Only then should you un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).
Hi, I did what you suggested, restored our site to a day early and everything returned to normal. Then I turned Cloudflare back on. Now the site works, but it seems when I try to login into Wordpress by going to my site/admin or site/login or site/wp-login.php, I’m redirected to https://right.trainresistor.cc/follow/track?457423/wp-login.php. What happened? Is our site hacked somehow?
When you paused, the site was working with HTTPS?
After I paused, it was NOT working, so we restored from previous day. Our site is small and relatively static, so restoring was reasonable and fast. After restoring, it worked, and so we turned Cloudflare back on.
Sorry, after restoring, we had https.
Make sure your SSL/TLS mode here is set to Full (Strict).
If you’d like more specific suggestions, please post your domain name so we can investigate the redirect.
As it’s a WordPress site, I hope you’re running something like Wordfence for protection. Even their free version is excellent.
We are using Wordfence, but reading online now, there was an exploit between Dec. 7th and Dec. 8th where wordpress.org auto updated fix injected a url redirect. I’m going to try restoring to before dec. 7th now, but you can also check our site https://deltapacificvalve.com Just trying appending login and you will notice a different login screen, then just type in any login and password and you’ll see the redirect. BTW, yes, our SSL/TLS mode is Full (strict).
Do you have a link about that exploit?
The Page Source for your site is full of right.trainresister links. Like a giant search/replace.
The mystery is that if I test against your origin, if it ends in .165, the hostname in your page source is correct.
I bet if you use Dev Mode from the Overview page here, that won’t change anything.
Does your WP-Admin General Settings section have your correct domain in there? Or can you not log in when it’s like this?
For now, I’m stumped as to why your domain name is swapped out in the Page Source.
My next step would be to disable all plugins.
Here’s the link I found at wordpress.org site, answered by someone working for Wordfence
I don’t know how it happened either, other than that the wordpress auto update introduced it.
I’m trying to fix it now.
That’s a PublishPress Capabilities plugin, which I don’t use. Also covered here:
It looks like it’s working correctly now. Did you change something?
I restored to Dec. 5th and also upgraded Wordfence to premium. I checked for rogue plugins, both in wordpress admin and manually at ftp site, but didn’t find any. Changed all passwords and running premium manual scan now. Hopefully this resolves it. Weird thing is we don’t use “PublishPress” plugin, unless it’s some un-shown plugin. So still a mystery.
Mr. Dayman, our site is still down. How do we turn on your copy from Cloudflare in the interim?
Deltavalve is now showing a new WordPress installation screen. Is that intentional?
No. Something we’re still waiting on our Hosting Provider (Network Solutions) to fix.
As I said earlier, Pause Cloudflare until you get a working site.
yes it is paused
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.