PL

I’ve also been having this issue for a couple weeks now. I used to get email alerts whenever I logged into my site and now I don’t. I’ll get an email if I edit a post or update a plug-in, but that’s it. No login alerts. On the ‘Last Logins’ Tab, under ‘All Users’, it only says “no logs so far”.

Thank you.

Thank you.

Thank you for the reply and links. I’m trying to figure out which option is best to fix this. Does anyone know where in the Wordfence options can I find what IP addresses are white listed? There is a suspicious IP I can’t block because I get a pop-up saying that it’s whitelisted and I can change that in the WordFence Options, but I can’t find exactly where in the options section this IP would be listed.

I just got a Wordfence email with all these problems ??

File appears to be malicious: wp-content/plugins/jetpack/class.frame-nonce-preview.php
Filename: wp-content/plugins/jetpack/class.frame-nonce-preview.php
File type: Plugin
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($qd23264[$lbef4fa8c[‘of4d4eaf7’][3”. The infection type is: Backdoor

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/plugins/mojo-marketplace-wp-plugin/tests/title.php
Filename: wp-content/plugins/mojo-marketplace-wp-plugin/tests/title.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘db2524928’][95].$GLOBALS[‘db2524928’][32].$GLOBALS[‘db2524928’][78]”. The infection type is: supp2 infection

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/plugins/wordfence/lib/menu_whois.php
Filename: wp-content/plugins/wordfence/lib/menu_whois.php
File type: Plugin
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($g889c997[$r2d67ab[‘v899ef’][24”. The infection type is: Backdoor

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/plugins/wordpress-seo/frontend/search70.php
Filename: wp-content/plugins/wordpress-seo/frontend/search70.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘oe4bbc9’][26].$GLOBALS[‘oe4bbc9’][63].$GLOBALS[‘oe4bbc9’][69]”. The infection type is: supp2 infection

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/plugins/wordpress-seo/wp-seo.php
Filename: wp-content/plugins/wordpress-seo/wp-seo.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($b5196aa[$j24c0b1c3[‘ye46ba088’][27”. The infection type is: Backdoor

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/wflogs/error.php
Filename: wp-content/wflogs/error.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “$yjr=$_COOKIE; $xib=$yjr[jctc]; if($xib){ $pdzcp=$xib($yjr[pbaq]);$ustr=$xib($yjr[mxrs]);$voup=$pdzcp(“”,$ustr);$voup(“. The infection type is: G212 – variation 2

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-includes/Requests/Response/Headers.php
Filename: wp-includes/Requests/Response/Headers.php
File type: Core
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($v329df96[$v107eb438[‘bfc8c64fc’][6”. The infection type is: Backdoor

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-includes/js/jquery/ui/dirs58.php
Filename: wp-includes/js/jquery/ui/dirs58.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘m7f2ce’][75].$GLOBALS[‘m7f2ce’][55].$GLOBALS[‘m7f2ce’][72]”. The infection type is: supp2 infection

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
WordPress core file modified: wp-includes/Requests/Response/Headers.php
Filename: wp-includes/Requests/Response/Headers.php
File type: Core
Issue first detected: 16 mins ago.
Severity: Critical
Status New
This WordPress core file has been modified and differs from the original file distributed with this version of WordPress.

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
Unknown file in WordPress core: wp-includes/js/jquery/ui/dirs58.php
Filename: wp-includes/js/jquery/ui/dirs58.php
File type: Core
Issue first detected: 16 mins ago.
Severity: Warning
Status New
This file is in a WordPress core location but is not distributed with this version of WordPress. This is usually due to it being left over from a previous WordPress update, but it may also have been added by another plugin or a malicious file added by an attacker.

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
Modified plugin file: wp-content/plugins/wordfence/lib/menu_whois.php
Filename: wp-content/plugins/wordfence/lib/menu_whois.php
File type: Plugin
Issue first detected: 16 mins ago.
Severity: Warning
Status New
This file belongs to plugin “Wordfence Security” version “6.1.17” and has been modified from the file that is distributed by www.remarpro.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
Modified plugin file: wp-content/plugins/jetpack/class.frame-nonce-preview.php
Filename: wp-content/plugins/jetpack/class.frame-nonce-preview.php
File type: Plugin
Issue first detected: 16 mins ago.
Severity: Warning
Status New
This file belongs to plugin “Jetpack by WordPress.com” version “4.3.1” and has been modified from the file that is distributed by www.remarpro.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
Modified plugin file: wp-content/plugins/analytics-counter/readme.txt
Filename: wp-content/plugins/analytics-counter/readme.txt
File type: Plugin
Issue first detected: 16 mins ago.
Severity: Warning
Status New
This file belongs to plugin “Google Analytics Counter Tracker” version “3.3.0” and has been modified from the file that is distributed by www.remarpro.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

Thanks for the reply, wflandon. The file Wordfence reported as a backdoor appeared in a file related to the theme I was using. All of the photos that were listed as ‘modified’ seemed to be names of photos I’ve uploaded, but I never modified them, so that’s what I was confused about. Here is the a description of what happened a couple weekends ago:

Last weekend, the WordFence Security plugin I use found a a possibly malicious file during a scan. The file mentioned the name of the theme I’m using, so I checked with the developer of that theme and they told me the file wasn’t their code.

Then I contacted my hosting company to look into this and they told me my site wasn’t infected. Within an hour or so after this strange file appeared, I clicked the ‘delete file’ option on WordFence which messed up my theme.

I was worried my site was hacked because it looked bare, but my host said it was just a theme issue and activated the default WordPress 2015 theme. The hosting company told me how to do a malware scan with Sucuri Site Check. No issues appear in the scan and nothing else seems wrong with my site in appearance or in the dashboard. WordFence also shows no issues now.

I’ve only been using WordPress for a year and never had anything like this happen before. Since I deleted this possibly malicious file, does that mean my site is okay? The infection type was listed as “Backdoor:PHP/array_map”, so could this still somehow affect my site or even my computer? I’m afraid to back up my site now and make things worse. I’ve posted a copy of the message that showed up in that Wordfence scan, but if anyone could give some input if there’s something else I should be doing about this issue or not.

File appears to be malicious: wp-content/themes/wp_olsen5-v1.1.1/functions.php
Filename: wp-content/themes/wp_olsen5-v1.1.1/functions.php
File type: Not a core, theme or plugin file.
Issue first detected: 9 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “add_action(‘init’, create_function(”, implode(“\n”, array_map(“base64_decode”, unserialize(get_option”. The infection type is: Backdoor:PHP/array_map
———

At this point, Wordfence is not showing any issues with my site and I have not noticed any changes to the admin dashboard or to the appearance of the site. I’m still unsure about how to know for sure if my site is clean, or if there’s something hidden that I wouldn’t be aware of. I deleted that file listed as malicious and even deleted that entire theme and activated another one, but is doing Wordfence scans enough to find any issues?

Thank you everyone! I found the file in my host control panel and finally got it deleted.

Thanks for your reply. It’s a 3 party theme that I can’t delete. Which would be the safest way to try for someone new to WP?

Thanks all for the help. I’ll go through the list of steps and try to see what I can do.

Thanks for the responses and suggestions. I thought I had good security with a strong password, updates, WordFence, Cloudflare, doing regular scans and being careful about Plugins, so I’m wondering where this file came from? Could the theme I was using have a problem? I’ve been thinking of changing to a Genesis theme which they say has better security, but until I’m sure there’s not some hidden malware somewhere in my blog, I’ve been holding off.

For someone fairly new to WordPress, how easy or how much time would it take to fix the issues?

There are 72 “404 errors” showing in the Google Search Console. On the Structured Data Page in the Search Console it says 532 Items with errors on 204 pages: Hentry, WebPage, Markup: Schema.org, WPSideBar and other issues. I don’t know what these errors are or how to fix them. Then, there are at least 70 posts that aren’t up to par quality-wise and their content is now obsolete. I read deleting old posts hurts SEO, so I’ve left them for now.

It says “1,155.00 MB total disk space used.”

This is Bluehost shared hosting. It was one of their lowest cost plans.

Thanks. Any idea what else can cause core files to be modified if I didn’t make any changes? I have the Wordfence free version and the latest scan doesn’t show any problems with my site. I also don’t see any changes or issues besides that message in my hosting panel.

Thanks, I’ve been thinking of changing to the Pro version. Will it automatically convert my posts into this style or just the new posts if I choose that setting?

Thank you. I guess I thought there’d be a way to do this automatically like some themes do because I have 80+ posts already and it’s the only thing I don’t like about this theme.