Is it a Hack, or is it a Bug?

Recently, this little set of icons has appeared mysteriously on a couple of client sites. The second social media icon goes to a Russian social Media site called vkontakte. The third social media icon also goes to Russian social media. Is it a hack? Is it a bug? How would I know?

What part of the site is being affected?

A closer look shows that each set of icons is positioned after the code for a widget in a child theme sidebar. The screenshot below illustrates a sidebar with 5 widgets. Each widget has its own set of social media icons. Not fun at all! The image on the right shows the social media icons attached to 5 widgets in a thin, left sidebar. This was the result of experimenting with the behavior of the problem.

Besides the unexpected social media icons appearing on the site, a check of the sidebars in one of the site dashboards shows that the original widgets placed in the custom sidebars have disappeared (see screenshot), but the widgets in the default theme sidebar are intact. And, the Content Blocks were untouched. This was not likely something that someone added through the dashboard inadvertently.

One of my clients does most of their own web work, including content and software backup and updates, so when they contacted me with this problem, I could not tie the problem to a specific action. But, for the second client, I do the updates, and the problem appeared right after doing some plugin updates and an update to the Basic theme, so I knew that the problem was in the updates. But, I didn’t know which update was the culprit since both plugins and theme were updated.

What Structures are Involved?

A look at the HTML code showed that the code was inserted after the code for each widget, not as part of the code that creates the widget. This confirmed that the problem was produced by software.

<div class=’social_share clearfix’>
<p class=’socshare-title’></p>
<a rel=”nofollow” class=”psb fb” target=”_blank” href=”http://www.facebook.com/sharer.php?u=http://yourdomainname.com/&amp;t=Home+Page&amp;src=sp” title=”Share in Facebook”></a>
<a rel=”nofollow” class=”psb vk” target=”_blank” href=”http://vkontakte.ru/share.php?url=http://yourdomainname.youpasteinvisualarts.com/” title=”Share in VK”></a>
<a rel=”nofollow” class=”psb ok” target=”_blank” href=”https://connect.ok.ru/offer?url=http://yourdomainname..com/&amp;title=Home+Page” title=”Share in OK”></a>
<a rel=”nofollow” class=”psb gp” target=”_blank” href=”https://plus.google.com/share?url=http://yourdomainname..com/”  title=”Share in Google+”></a>
<a rel=”nofollow” class=”psb tw” target=”_blank” href=”http://twitter.com/share?url=http://yourdomainname..com/&amp;text=Home+Page” title=”Share in Twitter”></a>
</div>

It doesn’t seem that the Content Blocks that had been assigned to the Sidebars were affected. The connection between the Content Block Widget and the Sidebars was broken. So, I tested this idea by adding a Search widget to the Left Photo Sidebar and sure enough, it picked up the rogue social media set. That means that the problem is in the function that connects the widgets to the sidebars that is the problem.

We can test the idea of whether this problem only affects sites using the Basic Theme, by switching to a fallback theme. I always leave one WordPress default theme installed. In this case, the fallback theme was Twenty Sixteen. When I made Twenty Sixteen the active theme, all the social media links disappear off the site. That lets me know that it’s a problem with the Basic theme. But, I still don’t know whether the theme is hacked or has a bug. The logical place to go is the Basic theme support forum on WordPress.org.

The Theme Author responded to my question in their support forum within an hour. There is a bit of a language barrier, but over the course of the conversation, they have responded almost once a day. Their prompt response let me know that it is a bug, not a hack. But, the solution they finally proposed is not feasible, and we could not wait for 4 days with those social media icons on the sites. And, in the interim, the problem got worse, but I found other solutions.

The Problem Gets Worse

Once we identified that the rogue social media icons were connected with the sidebars, the first client removed all the widgets from the sidebars and the social media icons were no longer showing on the site. Since there were only two widgets on that side, the effect was not catastrophic, but it did take out the phone number from the banner.

On the second site, when all the widgets in the custom sidebars  on the second client site disappeared on their own (see screenshot above), it had a bigger effect on the site. Besides affecting the footer, it affected those inside pages that had a custom left column sidebar. Some of the pages had a right column, which was the theme’s default sidebar. Those widgets were not affected.

Following through with the theme technical support, it seems like the theme writer was grabbing at the simplest possible solution, instead of really looking at the problem. Their reply, “unfortunately, the Content Blocks plugin wasn’t tested for compatibility with the Basic theme. ” overlooked the fact that it wasn’t only the Content Blocks that were affected, but the default WordPress widgets, such as Search, that were affected too. They didn’t really delve into debugging the problem.

Finding a Solution

Since my client sites were affected, I went ahead and found solutions that solved the problem. The solutions were different for the two sites.

SITE 1: Updated every time an update is available. The problem showed up on an update to version 1.3.9

SITE 2: Updated regularly, but not on every theme and plugin update release.

Site 2 was easier to fix. I set the Social share buttons after post to hide and checked the Hide share buttons on static pages. This would not have fixed the problem if they had actually wanted the social media buttons to show at the bottom of each post, as was the theme writers’ intention. But, for my client’s purposes, it is a fix.

This solution did not work for Site 1. In this case, the WordPress site with the Basic theme is a temporary fix while a more comprehensive, corporate site is being built. That gives us more wiggle room for duct tape and baling twine type fixes. Also, the site manager is very competent and can learn new skills without being traumatized. So, I chose a hard coded solution. That is, I had created custom layers to match their formatting, so the fix was to remove the code that calls the sidebar – dynamic_sidebar() – with the actual text. Not so easy to update, but easier than trying to recode for the theme error.

Is There a Simple Code Solution in the Theme or the WordPress Core?

The theme writers did not address the fact that the problem seemed to affect all widgets, as I found with my test of the WordPress core Search widget. In any case, their last reply was: try check in widget ‘Do not apply content filters’ http://prntscr.com/lqm4lz . This solution addresses the issue with Content Blocks because then the Content Blocks do no process the function in the Basic Theme that adds the social media icons. It was proactive of the folks who wrote the Content Block plugin to consider the fact that theme functions might potentially cause problems with their plugin.

The question remains whether the Basic Theme writers have a responsibility to not allow their social media code to affect post types that are not ‘post’ or ‘page’.

Additional Resources
  1. https://tommcfarlin.com/filtering-post-content/
  2. https://themes.trac.wordpress.org/browser/basic/

Leave a Reply

Your email address will not be published. Required fields are marked *