Strange URL Changes in WordPress Site

I've got a strange issue going on with a client WordPress site. Adopted and finished it from another developer but can't find any reference in the database or any plugin settings that would appear to be causing this bizarre change.

Site is an e-commerce store and will be humming along fine and then suddenly lose styles, scripts, images. Looking at the source, all URLs are changed from https://www.example.com to https://www.wordpress.example.com (also may be https://www.blog.example.com or https://www.wp.example.com). It is never anything other than one of these three variants.

Going to the proper domain to login works fine albeit not styled. In admin, the URLs on both Wordpress Address and Site Address are not altered (https://www.example.com). Hitting "Save" on settings returns everything to normal.

Scoured DB with MyPhpAdmin and other PHP utils searching those domain patterns with no result. Host suggests plugin as likely culprit, however with no definite "schedule" as to when this happens, turning everything off for possibly days on a live e-store isn't going to be a popular tactic with client. May setup a test server at the same host and strip that down to bones and see.

Odd thing site has been up for five months, four of them fine. Seems to coincide with end of April around the 4.2 update. Runs WooCommerce for e-store, Gravity Forms, ACF, Yoast SEO as well as The Dashboard, Snapshot, and Google Analytics from WPMUDev. Custom theme but nothing off-the-wall. Everything is current now.

Wondering if anyone had seen any behaviour similar? Thanks in advance for any ideas.

  • Anang
    • New Recruit

    Hi Les

    Welcome to WPMUDEV Community :slight_smile:

    It would be great if you share me the URL or even access to the site so I can analyze more details :slight_smile: This is not a common issues , so we need to analyze your site :slight_smile:

    And here's how to give me access to your site, using WPMUDEV Dashboard :
    https://premium.wpmudev.org/manuals/wpmu-dev-dashboard-enabling-staff-login/

    Let me know more info, so I can help you :slight_smile:

    Best Regards

  • Anang
    • New Recruit

    Hi Les

    I know what it feel when it come to mysterious behaviour :smiley:

    And sorry I can't login to your website , could you send me a test user with administrator level for testing purpose ? you can send it here :
    https://premium.wpmudev.org/contact/
    Subject: "Attn: Anang"
    -WordPress admin username
    -WordPress admin password
    -login url
    -link back to this thread for reference
    -any other relevant urls
    Select "I have a different question" for your topic - this and the subject line ensure that it gets assigned to me :simple_smile:

    And I have quick look to list of your website registrations , there're some sub site with subdomain (blog.example.com , wordpress.example.com ) do you create those sub site ? Also it would be great if you give me example of page that have miss behaviour :slight_smile:

    Best Regards :slight_smile:

    • Les
      • WPMU DEV Initiate

      @Anang your reply just populated in with this request - strange. I will do up an account and send it over. The misbehaviour is site wide when it occurs (site becomes unstyled / no images) as all reference uri's point to non-existent domain/subdomain configurations. I've attached a screenshot of a piece of the code from the last time it happened. Going into admin>general settings > save (not changing anything) fixes it.

      I have no subdomains configured at the host level so there shouldn't be any reference to them. Not to say the last dev didn't have them and killed them. Where are you finding this information so I can see? Thx.

  • Les
    • WPMU DEV Initiate

    Site URL flipped again overnight, this time (and a new occurrence) to an old domain name from over a year ago. Clearly there are still cross-references in the database somewhere causing at least this one.

    I changed the original URL rename in the config.php file from define Relocate to the two define site name, site url variables as outlined in the Codex. That switched things back around quickly this morning.

    Going to run a couple of different search and replace to the database, one from within and one from MySQL see what happens.

  • Anang
    • New Recruit

    @Les Let me know when you finished with your set up and you have set me up an account to login to your website :slight_smile: Do you any chance set up snapshot or any backup system to auto restore btw ? or maybe in your hosting server ?

  • c0d3r
    • Design Lord, Child of Thor

    No, I may misunderstood the problem
    but he said that he got new wordpress from another developer
    it may be infected with JavaScriptcode works in the back end, makes changes in the domains,
    I may just a security savvy, but Google: hi.ru malware
    and you will get the idea

  • c0d3r
    • Design Lord, Child of Thor

    Sucuri and a lot of AV fails when the the file encoded,
    I did a test encoded a evil string with base64, and it pass, I don't say this is the problem but when you out of options try it, if you go to the website click on explorer the data, and you can see some crazy codes

  • Les
    • WPMU DEV Initiate

    @cod3r I'd replied to you earlier with a thanks for the link and some points, don't see it here in the thread. I'd commented there are some some inline scripts showing up that literally say inline_script and are then appended with a serial like inline_script_ca3eab03c487485622 and when clicking on any of these for more info they are 404. Normal for this tool (its own scripts) or something to be suspicious of?

  • Anang
    • New Recruit

    Hi @Les

    I think " inline_script_ca3eab03c487485622" is your inline javascript code that not in any javascript files. I'm suspicious this behaviour is because some malware. I can access your wordpress dashboard, seems fine to me :slight_smile: Could I have access to your FTP to ? to check your wordpress's php files. Here's you can send me your credential :

    https://premium.wpmudev.org/contact/
    Subject: "Attn: Anang"
    - FTP username
    -FTP password
    -FTP host
    -link back to this thread for reference
    -any other relevant urls
    Select "I have a different question" for your topic - this and the subject line ensure that it gets assigned to me :simple_smile:

    And also could you do quick analyze in your server's logs ? also if you find the issues again, copy the .htaccess file to .htaccess.bu (before save your setting and restore the issue) and after you save your settings, open this file again and compare with current .htaccess, is there a different ?

    Best Regards

  • Les
    • WPMU DEV Initiate

    Hi @Anang

    Just thought I would post a follow-up on this issue. So far site has been stable since I implemented hardcoded site url and home in config. I also removed an existing relocate statement that was in there which I understand is a security issue. Wondering if the relocate was the issue regardless of the two hard-coded urls.

    The site logs didn't show anything with regard to the appended domains other than when logging into wp-admin to fix the issue. There are quite a few hits in there though from "best-seo-offer.com" against the former domain, which is still used for email. Looking back through my records of the project this started at the end of April not only with 4.2 but also when the old domain was brought over to the current host so that the other hosting account could be terminated.

    It is so random, I don't think there is anything to do other than watch for a few weeks and see if the config.php changed truly fixed the issue. If it rears up again, I will repost. Just didn't want to leave a thread dangling!

  • Anang
    • New Recruit

    Hi @Les

    It's good start for tracking the issues. Just contact us when you have got the issues again.Or it would be great if you have found the solution (permanently) and then share here with us :slight_smile:

    Best Regards

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.