Last night we were working on projects and designs. When I get a call from a new client saying his WordPress website is down. I mean we have worked with WordPress for 10 years now so we know how to fix the problem ourselves. So I went to the website and it was just blank. So it could have been 1 of 2 things: 1) My client installed a new WordPress plugin and it didn’t work or he updated the wordpress plugins and they aren’t working correctly cause of a new line of code somewhere. 2) He updated the wordpress theme and the theme is complaining about all the old plugins that haven’t been updated… But that wasn’t it at all.
I did the usual, which is to disable all the wordpress plugins and see where it leads me. Which it leads me to this complaint “blah blah, error at this location website/wp-includes/coment.txt”. When did WordPress start using text documents other than error logs to help WordPress function, also WordPress has been out for years, pretty sure they know how to spell “comment”! So naturally like the WordPress malware from last year I assumed this might be a little bigger than just a plugin issue. So I removed the “coment.txt” file. 3 more complaints showed up, which didn’t make any more sense cause again why would WordPress use .TXT files? Now there are 3 complaints all pointing to the same new issue “blah blah, website/wp-includes/template-loader.php: error line 1” (don’t quote me on these error messages to much I was starting to stress out, ANOTHER VIRUS, REALLY? Thanks 2020!!)
So I took my website’s “template-loader.php file” and compared it to my client’s and noticed, like the 2019 virus that it rewrote the PHP file, all of it looks the same except for some spaces but the more important code is the first line like the complaint. There was a “require” file code. Which means that they turned your WordPress file against you so it had to load the coment.txt file first before loading your template, which also means that the virus / malware code would have to appear up on top of the original WordPress code so WordPress would have to read the virus code first…assholes!!
How to Remove this Virus
On your main WordPress directory (DIR) look for your index.php file and make sure there aren’t any files like jindex.php or cindex.php or rindex.php there should only be one index.php file and it should be spelled index.php Sample below:
Look for exvtsb.php, this file is also in your main directory it should be next to the error.txt file. Example below:
Look for, in your wp-includes folder “coment.txt” and delete it. (read about plugin folder coment.txt file before deleting)
Look for any TXT files that are jibberish (ex: wdjighf3vjfn.txt or fjgvbdfvjnla234.txt) They are not real WordPress document. Example below:
Also, look for class-wp-admin_bar.php, please do not mistake it for class-wp-admin-bar.php. The difference is the dash and the underscore. Example below:
Go to wp-includes/template-loader.php and delete the required code ” required (‘wp-includes/coment’); ”
Go to your plugins folder I don’t know if this is a legit plugin but I know no one installed this before, please delete. I don’t know what would happen if you try to uninstall through the admin dashboard but I recommend to delete the file through the file manager. So that way there aren’t any fail-safes that these files have won’t get activated when you try to uninstall it. Example below:
One more thing…
There might be a “coment.txt’ file in your plugins folder. For my client’s website every time I kept deleting the file the site would crash. I don’t know why yet. hopefully, this blog post will help me get more answers as I post it via social media. So what I did to compensate was I deleted all the codes inside that file but left the black file as-is. For now, that’s what I got for you till I can find the “required” code for that “coment.txt” file. Again I found out about this less the 9 hours ago.
Drawlines Branding & Marketing helps businesses grow via web design and development. Social media advertising, organic SEO, and we also have hosting plans for businesses looking for a more affordable website hosting plan. If you or anyone have any questions about our website, printing, design services you can contact us at info@drawlines.net or on Facebook messenger at our Facebook page. www.facebook.com/drawlines. If you or anyone you know is looking to have a one-time website cleaning you can contact us at info@drawlines.net or at 908.543.4785.