Malware scan with Wordfence for wp-content/plugins/index.php

  • Resolved climaxe

    (@climaxe)


    5 years, 6 months ago

    Hello,

    Since today, Worfence detects a malware on my website. The damaged file is : wp-content / plugins / index.php

    However, the file code has not been changed for several months so I don’t understand the problem.

    I recently updated WordPress to 5.2, and all my plugins are up to date.

    Is it possible for the malware to affect another file in my file tree?

    Here is a screenshot of the malware detection recognized by Wordfence 7.2.5, and a screenshot of wp-content / plugins / index.php file.

    Thanks a lot for your help!

    My website wordfence screenshot

    Index.php file screenshot

    Climaxe

Viewing 6 replies - 1 through 6 (of 6 total)

  • The index.php contains a backdoor. Not to go in too much details it checks for a certain $post query. if present it writes the value of query to a file.

    The php function used: file_put_contents() is disabled on many server for security reason. So if this is the only file that got flagged, it is very possible it is the case @ your host.

    //Steph

    • This reply was modified 5 years, 6 months ago by divemasterza.
    Thread Starter climaxe

    (@climaxe)

    Thank you very much for your quick response. According to the screenshot, do you think my website is infected by a backdoor or that this Wordfence malware detection is considered a false positive ? I would like to know if I should ask my web registrar to restore a backup version of my website. Thank you !
    Best regards

    • This reply was modified 5 years, 6 months ago by climaxe.
    • This reply was modified 5 years, 6 months ago by climaxe.

    It has definitely a backdoor, but depending of your hosting security levels (i.e. some php functions being disabled) the backdoor might not be exploitable. But you need to cleanup. Wordfence has a nice writeup on this here -> https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Thread Starter climaxe

    (@climaxe)

    Thank you very much! So I’m going to clean all this mess, thanks again for your help and for the web link. Best regards

    Hey @climaxe,

    @divemasterza has given you some great advice. This is definitely malicious code, while it may or may not be exploitable, you should focus on cleaning and securing the site. The Wordfence link that was shared is a great reference. However, if you see this return after cleaning the site I’d suggest getting with a professional hack repair service to clean the site and patch the point of entry.

    Please let us know if you have any other questions.

    Thanks,

    Gerroald

    Thread Starter climaxe

    (@climaxe)

    Hello WFGerroald,

    Thank you very much for your help. I’ve downloaded WordPress 5.2 zip file and replaced the infected file wp-content/plugins/index.php from my website by the original one. Now Wordfence scan is ok it seems there’s no malware anymore !

    Thanks again, have a nice day,

    Climaxe

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Malware scan with Wordfence for wp-content/plugins/index.php’ is closed to new replies.