It looks like that script injects ads.
Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
Thread Starter
Uthar
(@uthar)
So far all files seems to be clean and the following security plugins are not able to find anything:
Sucuri Security – Auditing, Malware Scanner and Hardening
Quttera Web Malware Scanner
Asgard Security Scanner
No idea where that script is coming from.
Check WordPress’s main index.php file (not your theme’s index.php file).
Thread Starter
Uthar
(@uthar)
That one looks fine:
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
Ok, try deactivating all plugins. If that resolves the issue, reactivate each one individually until you find the cause.
If that does not resolve the issue, try switching to the Twenty Fifteen theme to rule-out a theme-specific issue.
Thread Starter
Uthar
(@uthar)
Thanks for your help so far James. But the plugins and theme were the first two things I tried (as stated in my first post.)
Another thing I tried was downloading all my data from the website and searching through all the files for the text “simpli.fi” using notepad++. But that also gave no results.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Whereabouts in the source code is this code being injected?
Thread Starter
Uthar
(@uthar)
At the bottom of my page, see screenshot below:
http://oi61.tinypic.com/25fli8h.jpg
Also you can find my blog at bots.uthar.nl if that may help in finding this problem.
Thread Starter
Uthar
(@uthar)
I finally found it. A widget to show visitor information from http://whos.amung.us was adding the script.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
I’m glad it’s fixed now. π
Thread Starter
Uthar
(@uthar)
Just for future reference and additional information for users with a similar problem. I contacted whos.amung.us and got this reply:
Simpli.fi is not malware, it is a data categorization service used via one of our partners that we will be using to provide more insight into our users audiences via new stats we are going to provide.
You can of course prevent any third party services from being used via our services by adding the following javascript before the widget code:
<script type=”text/javascript> var _wau_opt = {‘fbase’: 1}; </script>
This will limit some aspects of our stats pages (what is being copied) however everything else will run as expected still.
Hope this helps.
So simpli.fi itself is safe, although it gathers some data.
Finally simpli.fi is present in a number of malware infected sites that add ads, I assume those harmful scripts only use simpli.fi to make their ads better target the audience.
Now it is for yourself to decide whether or not you want to get rid of the simpli.fi script.
Thanks buddy it solved my problem on http://www.pcgan.com
