It’s hacked. Virus infected, don’t use!!

  • I read all the other similar reviews and the answers by the developers.

    To users:

    Don’t use this plugin!

    My website was infected by a virus that redirected to .top websites (space-robot), a known malicious ad virus that prompts you to allow notifications and opens to ads. (I then realized that probably found it’s way via header permissions and redirected to this .top page)

    I kept backups, deleted all plugins, reinstalled core WordPress, and changed all username and passwords. The virus was still there.

    Sucuri scan kept finding it hacked.

    In the plugins list in admin panel of WordPress there was no visible plugin as WP-code, or anything else.

    I searched in plugins ‘add new’ directory, and WP-code was active, but no ‘disable’ or ‘uninstall’ button was available (like this plugin was hidden in some way)!

    So how you delete this thing?

    Checking the files via ftp client, there was a folder in plugins ‘insert header and footer’. After deleting this folder, WP-code plugin was not installed anymore in my system, and the virus was gone. Sucuri scan finally found my website clean, after 2 months that I’m trying to clean it in several ways.

    Only when I deleted this folder from plugins, my website was clean again and running as it should.

    To developers: I understand all the excuses you might use to answer to all those people who are telling you that your plugin was compromised, but seriously, fix it!! ??

    • This topic was modified 1 month, 1 week ago by foulianna.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Mircea Sandu

    (@gripgrip)

    Hi @foulianna,

    I’m sorry to hear you had such a bad experience.
    We would love to prevent this from happening but, unfortunately, the issue is not with WPCode – it’s not the WPCode plugin that is compromised, in all cases we encountered so far it’s been related to administrator user credentials being compromised.

    We recommend the same thing as you likely saw in the other posts: please update your administrator users passwords and remove any administrator users you do not recognize.

    In most cases, even if you delete WPCode, if you do not update your administrator credentials the attackers will install the plugin again with the snippet that hides the plugin and adds the unwanted redirect script.

    How could the WPCode plugin prevent that or do that if the plugin is not installed on your site in the first place? It can’t.

    I hope you will reconsider your review as the issue you encountered is not related to the WPCode plugin functionality. We simply created a powerful plugin for WordPress site owners which is being abused by some bad actors.

    Thread Starter foulianna

    (@foulianna)

    Listen. My website was cleaned up ONLY when I deleted the files of your plugin and that’s the fact.

    Only this for me is enough for 0 stars.

    Plugin Author Mircea Sandu

    (@gripgrip)

    To add more context here regarding the plugin being hidden. WPCode, like other plugins, enables users to use PHP code directly from their admin to extend their site, this is very powerful but in this case it’s being abused by adding a code that hides the plugin from the admin interface.

    Once you have an user that already got access to your site and installed the plugin and added this code you have to remove it after updating your passwords and removing any users you do not recognize.

    Plugin Author Mircea Sandu

    (@gripgrip)

    @foulianna I understand it may seem as if WPCode was the reason your site had an unwanted script since deleting the plugin fixed the issue for you.

    I’m just trying to clarify here that WPCode in itself is not the reason this happened and WPCode does not add any scripts to your site on its own. When you install the plugin it does not make any changes to your site’s frontend unless you use it to add a new snippet or script through the admin interface.

    In all our instructions we recommend first updating credentials to remove the attack vector and then using the WPCode Safe Mode to prevent the snippet the attackers added from hiding the plugin so that you can clean up the changes they made.

    That is why I asked you to reconsider your review, the issue you encountered was caused by someone accessing your site and installing the WPCode plugin, and adding some unwanted script. The plugin itself did not do any of the unwanted actions on your site.

    look0410

    (@look0410)

    Hi,

    I have same issue. I deleted all the code through FTP. Do you know what I need to do next? Thank you!@foulianna

    Plugin Author Mircea Sandu

    (@gripgrip)

    @look0410 if you have the same issue please follow the steps I listed above and update the passwords for all your administrator accounts and remove the ones you do not recognise.

    Unless you remove the way the attackers were able to get into your site to install the plugin without your permission in the first place you are going to run into the same issue again.

    Thread Starter foulianna

    (@foulianna)

    @look0410 install a firewall, change all usernames and passwords and scan your website regularly for suspicious files or scripts. I didn’t have any other problem after removing this plugin.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this review.