Got a small wordpress site I’m working on which so far is working ok apart from this issue. When a user registers it automatically sends an email to users email address asking them to validate link, however something somewhere is changing the <a href> tag so visibly the link looks fine but when user clicks it been changed to https://hicffaf.r.bh.d.sendibt3.com/tr/cl/nq7-qfLn9ye0_RD-AEF…
I’ve scanned website files and found nothing. I checked logs of SMTP plugin and they show email as 100% correct and unaltered. I tried changing WP SMTP plugin, same issue. Tried changing SMTP server from brevo to mailjet still same issue.
I assume something after SMTP plugin in wordpress or something malicious in Ubuntu is screwing with me.
Any tips on where to start looking appreciated. Sorry for long post.
[ad_2]
You should look at modified date on all php files under wp-content
Look at most recent dated files
Look for that url – but also the infected files may be encoded – it would just look like random garbage.
disable as many plugins as you can and test – enable one by one until you find culprit
check cpanel access logs and see where logins are coming from
To add I’m using Ubuntu with plesk and free account with cloudflare. Cheers
Install [GOTMLS](https://wordpress.org/plugins/gotmls/) update definitions and run a root scan.
I looked up that domain. That looks like a Brevo tracking link used to track clicks in emails. Not hijacked, just a feature.
Just disable email click tracking if that’s the smtp plugin you’re using.
This changing of the link is done by your email-blast service provider after your site sends the message to them to be delivered to your user. It’s a “feature” — it’s the way they can tell the recipient of the message clicked on the link. You probably can get some sort of percent-click-through report on the Brevo portal, and this is how they gather the data for that report.
I’ve never used Brevo. I know you can disable this sort of thing in Sendgrid if you don’t want it.
It’s nothing to do with anything on your server.