<div>
I can not see that there is any connecteion between WordPress and this page, so possibly scam.<br>As it is on every page, your stylesheets maybe writable and used it to change the content.<br>But not quite easy to say without seeing it.&nbsp;
</div>


<div>
Our website is <a rel="ugc nofollow" target="_blank">www.chaliceuucongregation.org</a>. It is on the main page near the upper right. It is in various places on other pages (the minister says on ALL pages).
</div>


<div>
Did you already fix it? I don't see it anywhere. Though that might be the hack's special way to exclude some specific visitors.<br>Anyway, steps to take:<br><br>change all ISP and hosting related passwords, logging into the cpanel, FTP, etc etc.<br>Restore all web server files. Restore database backup.<br>Update EVERYTHING possible, WP version, plugins etc etc, even the theme used, if there's an update availlable.<br><br>Then it's time to investigate the logs, maybe it will give you a clue on the attack vector. If possible, ask hoster for some extra help. In case the hoster gets flooded with problems, sometimes the attack vector is actually through them.
</div>


<div>
Kimputer,<br><br>Thanks. It is still there for me. It melds in very easily. It is right after the words “a regular spiritual practice” on the home page. It is in the exact red color on the pages.<br><br>I can probably do all you suggest, having trouble contacting the host, Saturday night, etc. My cPanel password does not work, etc.<br><br>Thanks for your inputs.<br><br>Richard
</div>


General Factotum

BillDL

WordPress Dev & WordPress Coach

Alicia St Rose

<div>
Fellow UU here.<br><br>Yes, the site was hacked. Pretty common with Wordpress sites. It often happens due to an insecure Wordpress plugin.<br><br>Do you have a complete backup of all pages? Ideally the site would be wiped, and reloaded clean with updated plugins.
</div>


<div>
I agree with kevinhseih. &nbsp;Any time you get hacked you are always best to delete the entire site, this include removing WordPress completely and then performing a fresh installation. &nbsp;You simply have no way of knowing what else was compromised and other treasures they've left behind, backdoors, ...
</div>


President / Owner CARDA Consultants Inc.

Daniel Pineault

Business Owner / Chief Developer

Richard Korts

<div>
Kevinhseih,<br><br>We have plenty of backups, our hosting company thinks it’s coming from one post.<br><br>Our minister told me this PM that some other UU congregations were experiencing the same issue. We use the UUA template. Seems it might be coming from a plug-in. She asked me to hold off on a restore from a backup. We will certainly change logon credentials for cPanel, WordPress, etc.<br><br>So it’s still up in the air.
</div>


<div>
Unfortunately... CPanel is a common exploit vectors where hackers gain site control.<br />
<br />
I avoid all Panel systems, as they're to permeable to hackers.<br />
<br />
If you're using CPanel, at least install latest version... which of course... will usually crash all your sites, to you figure out what's changed in CPanel... then... accomodate all CPanel changes...<br />
<br />
Just remember, primary focus is to find + fix all the potential ways hackers are accessing your site, else you'll do a cleanse, then shortly thereafter the site will be hacked again.
</div>


<div>
CPanel should only be available on the Internal IPs, not on public facing IPs.<br><br>What version of WordPress do you have? &nbsp;You may need to update to a newer version to remove security hole.<br><br>You likely just have a php script that's producing that code and just need to remove it. &nbsp;These types of hacks don't always need a wipe and replace.
</div>


<div>
To all,<br><br>The Minister removed a plugin &amp; the Bitcoin link is gone.<br><br>So I could say we "found our own solution", but I appreciate all your participation so I will give all of you recognition.<br><br>Richard
</div>


<div>
Be careful, since your site was compromised you have no way of knowing to what extent. &nbsp;You truly should be starting over with a fresh install. &nbsp;Just removing a plugin thought to be the original source does not by any means guarantee your site to be clean/safe in any way.
</div>


Fractional CTO

David Favor

<div>
As @Daniel Pineault mentioned... Just removing a plugin... is likely a flag to the hacker to take down the site in far more drastic ways.<br />
<br />
Tip: Reinstall the plugin immediately (before hacker notices), then fully cleanse the site.<br />
<br />
It's doubtful... removing a plugin... or any other simple measure... will cleanse every site backdoor.
</div>


<div>
Thanks for your comments.<br><br>I have conveyed them to the minister, it is her decision.<br><br>Richard
</div>


<div>
Do you know which plugin it was that has been compromised?<br><br>
</div>


<div>
@Richard, you're correct...<br />
<br />
The customer is always right... even when they're wrong... :-)
</div>


<div>
David Favor,<br><br>The Minister is a micromanager &amp; holds all the details of managing the content &amp; updates of the congregation web site to herself. She only brings me in if there is a problem. You can lead a horse to water but you cannot make it drink.<br><br>I have to try to stay in good stead with her for many reasons that go WAY beyond the web site.<br><br>Richard
</div>


<div>
Yep.<br />
<br />
Hang in there.<br />
<br />
Tip: I never say &quot;No&quot; to any client request.<br />
<br />
I just point out the various options of pain verses full cost (sometimes over years).<br />
<br />
Then kick back with popcorn + watch the show.
</div>


<div>
David,<br><br>Yeah, wish it was that simple.<br><br>I told her the MINIMUM we should do is change the WP login passwords &amp; the cpanel password. No response yet. But Monday is her day off (after Sunday being a work day), she may come around. In fairness to her, she has a lot of things she needs to tend to with some congregants in Hospice care or with other issues.
</div>


<div>
&quot;The Tao of Micromanagers.&quot;<br />
<br />
I tend to... refer this type of client to a competitor, as I know the day will come... when a project circles the drain... usually in the middle of the night or when... the Micromanager is vacationing... and all I can do is watch the project burn to the ground...<br />
<br />
Hang in there!
</div>


<div>
<div class="content wysiwyg-content fr-view">
It appears our congregation website may have been hacked. It's a WordPress site. The words "<a href="https://cryptominded.com/bitcoin-digital-review-legal-or-scam/" rel="ugc">Bitcoin Digital</a>" appear on every page with a link to <a href="https://cryptominded.com/bitcoin-digital-review-legal-or-scam/" rel="ugc">https://cryptominded.com/bitcoin-digital-review-legal-or-scam/</a>.<br><br>Is this a scam &amp; if so how do we get rid of it.?<br><br>Thank you
</div>
</div>



It appears our congregation website may have been hacked. It's a WordPress site. The words "
Bitcoin Digital
" appear on every page with a link to
https://cryptominded.com/bitcoin-digital-review-legal-or-scam/
.
Is this a scam & if so how do we get rid of it.?
Thank you

Website Hacked?

hacked

WordPress is a free and open-source content management system (CMS) based on PHP and MySQL for creating websites and blogs. Features include a plugin architecture, a template system and strong management, customization and search systems; through its dynamic presentation of content, webmasters have the flexibility to create websites easily.