That kind of code is usually in a plugin or theme. Try deactivating plugins until you don’t see that message any more. If that doesn’t work try downloading a totally new theme and activate it to see if that gets rid of the message. If neither of those option affects the output buffer message then you could also get the Core Files definition and see it that files any WP Core files that have been modified.
I don’t see that Spam code on your site, did you remove it already?
If you still see it then please send me a screenshot so I know where to look for it.
Thanks, I’m still working on it and I now have two different direction that I’m going to get a scheduled scan to work. One of them should be ready for testing some time next month.
Click “Edit” under the Appearance menu in your wp-admin, then find the header link to the right.
So first of all Sucuri calls this “MW:BLK:2″ but that’s only Sucuri’s generic designation for link to a blacklisted site. My plugin (nor anyone else’s for that matter) will ever refer to any given threat with the as Sucuri does with their MW:ABC:123 type names for things.
What the are picking up on is a link to a javascript file in your header, and the only problem with that is that it is loading that file from the remote site stg.odnoklassniki.ru which Sucuri says is blacklisted. Here is the code they are finding in your header:
<script type='text/javascript' src='http://stg.odnoklassniki.ru/share/odkl_share.js?ver=4.4'></script>
To be fair I am not sure this is actually malicious code. It looks like some kind of share button and the only people who have blacklisted this Russian domain is Sucuri themselves. Just look at all the other security websites that say that domain is clean:
Domain blacklisted by Sucuri Malware Labs: stg.odnoklassniki.ru
Domain clean by Google Safe Browsing: stg.odnoklassniki.ru
Domain clean by Norton Safe Web: stg.odnoklassniki.ru
Domain clean on Phish tank: stg.odnoklassniki.ru
Domain clean on the Opera browser: stg.odnoklassniki.ru
Domain clean by SiteAdvisor: stg.odnoklassniki.ru
Domain clean on SpamHaus DBL: stg.odnoklassniki.ru
Domain clean by Bitdefender: stg.odnoklassniki.ru
Domain clean on Yandex (via Sophos): stg.odnoklassniki.ru
Domain clean by ESET: stg.odnoklassniki.ru
This might also be a post size limitation. If you cannot figure out what it is on your server that is blocking the manual downloading of the definition updates then you could donate $29 to use the Automatic update method, which cannot be blocked by post limits and it also gives you the Core Files definitions and the Brute-Force Protection.
Actually your site looks clean to me. Those Sucuri results are actually NOT CORRECT. This is a False Positive from Sucuri.net as you can see from their “View Payload” link:
Hyatt Hotels Payment System Hacked By Credit-Card Stealing Malware
It looks to me like you wrote an article on your site that mentions this “Hotel Hack” and Sucuri has misinterpreted the words “Hacked By Credit-Card…” as a defacement when it’s really not 
Thank you, I’m sorry to hear that you are having so much trouble staying clean. It sounds like you have a lot of sites on a shared hosting server that is not secure enough to keep the hackers out.
The problem with conventional shared hosting is that if any of those sites has a back-door or a vulnerability on it that let hacker write files to your server then they will be able to reinfect all your sites on that server as often as they want to. It is extremely hard to track down exactly how they are getting in and plug up every security hole and back-door they open, especially if you have a lot of sites on there. Furthermore, it is possible that they are getting in through a site on someone else’s account that is not even within your power to fix.
I do offer Super Secure Hosting and I’m sure that would take care of this cross-contamination issue for you. If you would be open to moving your sites to my servers just let me know how many sites you are interested in hosting with me and I’ll let you know what it would entail.
I don’t want to market my plugin outside of WordPress right now. I have found that it works best on open-source code. I don’t know anything about xenforo but some non-open-source developers use the same methods to encrypt or obfuscate their code as hackers do which could lean to a high rate of false positives.
If you are not sure about the code in xenforo that my plugin has found then you should examine it or even try to decrypt it first to see what it does. If your don’t know what it is or how to do that you can zip it up and send it to my and I’ll take a look at it.
That code in the GoDaddy plugin is intentional but also unsafe. They should use passthru not include so that if the images contained PHP code it would not be executed (bad coding on their part).
You can fix that threat or ignore it, it won’t make any noticeable difference on your site and it won’t affect the HTTPS issue you are having.
You should make sure your “home” and “siteurl” values in the wp_options table match up with what you have instructed google to index in your sitemap. Also make sure there are no .htaccess redirects to the site without the HTTPS if you want to use the secure URL.
Which threat was this?
If you can send me the whole code so I can see what threat it’s finding then I can improve that definition so that it stops grabbing the PHP bracks at the end of the line.
This is a JavaScript error, but I just checked your site and it is working for me. If it was not just a fluke occurrence and it continues to prevent your staff from logging in then you may want to disable the Brute-Force Login Protection (at least until you can figure out what is causing the JavaScript to break).
If you are using caching of any kind that may have resulted in the malicious code appearing on your site long after you had removed it with my plugin.
In any case it looks like you are all good now. Feel free to contact me again if it comes back, and yes, please donate if you can
It looks like you have already removed the threat from this file. This code looks clean and your site is not showing those malicious links any more.
Did you use my plugin to remove the infection from the header.php file, or did you remove it manually?
You can paste the contents into this forum topic or reply directly to my email. Thanks!
