Loader.php modified with backdoor

Thanks for sharing @cannahealthamsterdam. We’re not aware of any vulnerability of the loader.php file within Site Kit, but please go share any findings and we’d be happy to review. Note that if you feel there may be a compromised file, you can use the WordFence or other plugins to compare and check for any edits to the standard loader.php file within Site Kit.

Feel free to share any findings here or preferably via this form, so we can also review your WordPress environment to see if we notice anything.

Note also that I performed a scan on a disposable WordPress site using the free version of Wordfence just now, and in my case I didn’t encounter any issues or flags or concern.

Let me know if you have any questions with the above. Thank you!

Submitted the form twice, on the second time I included the code found on the bottom of loader.php

Appreciate you sharing this update @cannahealthamsterdam. From reviewing the details you share I don’t see anything obvious causing the alert in WordFence. Do you have any malware scanner installed at host level? If so please perform a scan there. Before doing, in the event your site was compromised, you may wish to perform the following steps:

1. Install and activate the Health Check & Troubleshooting plugin.
2. Navigate to Tools > Health Check > “More Icon” > Tools (screenshot).
3. Check the file integrity
4. After doing so, please share any findings from here.
5. Should you find any modified files, please uninstall and reinstall Site Kit (no need to disconnect or reset first)
6. Reinstall WordPress (Dashboard > Updates > Reinstall)
7. Performance another WordFence check

Let me know if you have any questions with the above. Note also that I will check your references with the team.

You may also wish to check another security plugin that can provide their own scans.

This is the result of the integrity checks – is this normal?

I have imunify on plesk which says site is clean. – just to be clear after finding this code on the bottom of loader.php I did clean it immediately with wordfence after it discovered it.

not sure how this might have been added.

The file integrity files look fine to me. The wordfence-waf.php file does seem to be a valid file inserted via WordPress. Great call installing imunify?also, which is great to determining issues on sites.

I have imunify on plesk which says site is clean. – just to be clear after finding?this code?on the bottom of loader.php I did clean it immediately with wordfence after it discovered it.

Thanks for sharing. That code added to the loader.php file is not part of the standard loader.php file within Site Kit. While I’m not a security expert, this may have been a file overwritten if your site was compromised. I also can’t be sure what may have occurred. Just to confirm, you no longer encounter any notices after removing this snippet or after uninstalling and reinstalling Site Kit?

Let me know if you have any further questions with the above.

As we didn’t receive a response I’ll mark this as resolved. Feel free to?open a new support topic?if you continue to encounter issues, or reopen this topic and we’d be happy to assist.