Plugin injecting trojan virus into my website

Hi @yard,

I’m sorry you ran into that issue, the virus that gets detected may be from a script that is injected into your site using WPCode.

If a 3rd party gained access to your website and uses WPCode to add the code to the Global Header & Footer area, for example, there’s no way for us to prevent that. The code is not coming from the plugin but from the plugin configuration specific to your website.

I recommend reaching out to your hosting provider and asking them for help to make sure your server was not compromised as sometimes such viruses spread across multiple accounts in shared environments and only your hosting provider can help stop that.

It’s really a virus. I deleted it more than 10 times, but after 1 – 2 days, I found it installed in my plugins list automatically without my knowledge.

is there any simple solution to get rid off from this virus plugin ?

• This reply was modified 11 months, 3 weeks ago by bccfalna.

Hi @bccfalna,

The plugin itself is not a virus but it’s likely that it’s being used by a virus to inject code into your site.

Unfortunately, if the attackers have access to your server in a way that they can install plugins and execute PHP code the only way to fix this issue is to find the source of the attack and remove that – otherwise, each time you clean up it will come back again.

You can find a good starting point to get over this situation in the following articles:

FAQ My site was hacked

https://www.wpbeginner.com/beginners-guide/beginners-step-step-guide-fixing-hacked-wordpress-site/

Only WPCode plugin is installing automatically and nothing happening in site other than auto-reinstallation of this plugin.

How is it possible that the site is hacked. If site were hacked, there must be some kind of misbehavior in other part of the site too. No any auto-post, no any auto-user creation, nothing happening without my knowledge… Only this plugin is being install again and again automatically.

So, the plugin itself is the issue.

Hi @bccfalna,

The attackers are trying to be as discreet as possible so that is why they are not making other changes to your site – the more traffic you get and the longer it takes for you to find the exploit the more they benefit.

The end goal of the attack is likely to inject a code to your site that redirects your users. There’s no need to make any other changes to your site.

The plugin itself has no way to automatically install on your site so you need to find why the plugin is being installed automatically – that’s why I suggested reaching out to your hosting company and asking for their help in cleaning your site and likely other sites that may have been compromised as suggested also in the articles I pointed to in the last reply.

Please try to reach out to the support of your hosting and ask them why WPCode is being installed automatically and if they can help with this.

This plugin installed again without my permission. How can you say that the plugin is not a MALEWARE VIRUS.

It is a VIRUS and it looks like you are intentionally spreading it…

Stop it from your side or tell me the way to GET RID OF from this virus from my side…

Hi @bccfalna,

I’m sorry you are still running into this issue.

We have no way to install the plugin on your site from our end. The plugin is available freely for download on www.remarpro.com like all other plugins on www.remarpro.com so someone is likely abusing it by installing it on your website without your permission.

The only way to stop this from happening is to secure your website and clean up the exploit that is being used for this. This may mean updating old plugins, updating your sever configuration or cleaning up your hosting environment, that is why I suggested contacting your hosting provider and asking for their help with this issue.

Hello @gripgrip

Me and my team also facing the same issue:
After installing your plugin we see a lot of websites are hacked and we need to remove encoded malware snippets from your plugin.

In the last year we managed over 60 tickets with exactly this case.
In this year we running 23 tickets with that case.

Hi @tommy83,

I would like to help you pinpoint what is causing this issue, it’s likely an exploit from another part on the infrastructure you are using either at server level or from another plugin that is not up to date. Can you please reach out using the form at https://wpcode.com/contact if you wish to look into this in more depth?

But its look like its very simple to hook thirdparty/malware code into your plugin when its enabled. Maybe you can improve that security points to avoid this abuse of your plugin.

We will contact you.

Hi @tommy83,

That’s not the issue here, if an attacker can make changes to your database they can get access to almost any part of your site. The intention here is to try to go unnoticed so that their code is up on the site for as long as possible as that is how they gain the most.

I never installed this plug-in but it seems some hacker is persistently injecting something enabling admin access, adding WPCode plug-in, and then including a malicious script. I’ve taken all the usual security measures but they keep getting back in. I’m not sure it’s an issue with WPCode specifically.

Hi @antzus,

I’m sorry to hear you are running into this issue. Once you delete a plugin, there’s no way for that plugin to make any changes to your site anymore so the issue you are experiencing is not coming from WPCode and, unfortunately, we can’t prevent it since it happens even with our plugin uninstalled.

As mentioned above, please try following the steps in this article and ask your hosting provider for help cleaning up.

FAQ My site was hacked

Same issue like everyone. WE HAVE NOT INSTALLED THIS PLUGIN but automatically getting installed > activated and malware script getting added now and then. More than 20 websites are affected due to this injection.

It redirects to other site for 1st time and sets cookie on 3rd party domain so we can’t reproduce this issue on the same day even after clearing cookies.

Hi @udayjoshi101292,

Please change the passwords for all administrator accounts on your website and remove any accounts that you do not recognise.

The WPCode plugin is being installed by attackers without your permission, we are actively working on limiting the effects of these types of abuses but we can’t prevent them from installing the plugin on your site since that happens before WPCode is installed.