Wordfence Suspect Malware

Help! My Malware Scanner Says I’ve Been Hacked!

If you’re using the Enfold Theme for WordPress, or another theme developed by Kriesi, you’ll want to read this post. Today, around 4pm CST, Wordfence and other WordPress security tools started sending alert messages to site owners using the Enfold theme.  The messages informed them that a file on their site contained a link to suspected malware.

There was an increase in hacking attempts against WordPress sites in 2016, and it looks like 2017 will be no different. Fans of the Mass Effect video game series might feel like they’re struggling to “hold the line.”

Mass Effect Kirrahe Hold the Line

Our influence will stop hackers! In our battle today, we will hold the line!

But fear not! The amazing community of developers working on WordPress is always looking for ways to improve the CMS.

Should I Be Worried?

While it appears a link Kriesi used was hacked, there are no reports of any sites being injected with malware. It appears Kriesi fixed the issue on their end before the alerts even went out, so this is somewhat of a false positive. The file in question is html-helper.class.php, and the link in question can be found on line 726. Since the link is in a comments section. This means it technically isn’t an issue. Browsers will not follow the link, so there shouldn’t be any danger to your site. WARNING: DO NOT VISIT THE LINK. NOTHING GOOD WILL COME OF IT!

Malware Link in Enfold Theme File

You can find the suspect link on Line 726. NOTE: DO NOT VISIT THE LINK!

That said, Google does scan sites for known malware and suspicious links. While there aren’t any webmasters reporting malware alerts in Search Console, that doesn’t mean Google won’t start sending out these warning. There’s no set date for a live update to the theme, so there’s no way to known how long site owners risk receiving an alert from Google. My policy is to err on the side of caution, and fix known issues as quickly as possible.

How to Fix File With Malware URL

Kriesi is releasing a fix in the next theme update. Kriesi hasn’t announced a set date for this update. If you aren’t worried about the potential for Google picking up the link as malware, you can simply wait for them to push the update live. As a result, if you feel comfortable updating your website files via FTP, then you can rollout the solution yourself in a few minutes. Note: the following information is provided as educational material. Edit your website files at your own risk, and remember to always keep backups.

First, you’ll need to locate the file in question, html-help.class.php. You can find it in your Enfold theme folder via the following path: wp-content/themes/enfold/config-templatebuilder/avia-template-builder/php/html-helper.class.php. Once you’ve found this file, make sure you save a backup just in case something goes wrong.

Next, scroll down to line 726, and locate the link, http://www.l***.at/. It should look like this (note: I’m using asterisk to mask the link. Again, nothing good can come of this URL):

//fallback for previous default input link elements: convert a http://www.l***.at value to a manually entry

All you need to do to fix the issue is replace http://www.l***.at/ with http://www.kriesi.at/. The resulting line of code should look like this:

//fallback for previous default input link elements: convert a http://www.kriesi.at value to a manually entry

Finally, once you’ve finished modifying html-helper.class.php, just upload it via FTP and overwrite your the existing file. That’s it! If you’re familiar with working on WordPress sites via FTP you should have the problem solved in a few minutes.

Contact Chow-Bryant if You Need Help

If you don’t feel comfortable modifying your website files, but still want an early fix, just contact us. We’re happy to help you keep your website secure. A secure internet is a prospering internet.