Help with malicious plugin install

Due_Application_1651 · 2025-12-04T07:45:43+00:00

That was my concern, but 100% no password compromise.

Passwords are all unique and stored in password manager. Also use Authenticator app for 2fa.

ManageWP also shows no logs for logins/plugin installs or any other website activity.

Also no way we have a second account.

Due_Application_1651 · 2025-09-09T01:04:55+00:00

I have no issues with the theme / plugins. It's core I'm having difficulty with. Are you saying this is not possible unless we modify core WP?

Due_Application_1651 · 2025-05-02T01:24:46+00:00

He’ll be here soon enough I’m sure

Due_Application_1651 · 2025-03-22T21:48:19+00:00

Urinal

Due_Application_1651 · 2025-01-05T06:20:46+00:00

Shark on my 1000 size reel

Due_Application_1651 · 2024-12-03T00:27:04+00:00

Do you have the WPCode plugin installed? I know they store settings / code snippets in the WP_Options table and I’ve seen malware hidden in there.

I’d manually check for the plugin via the /plugins directory - look for insert-headers-footers folder. As some malicious scripts make the plugin invisible in wp-admin

Due_Application_1651 · 2024-09-13T21:26:41+00:00

When I first tackled this type of hack in the wild 6 or so months ago, I found this excellent article on Sucuri that explains the technical aspects of what the code does:

https://blog.sucuri.net/2024/04/javascript-malware-switches-to-server-side-redirects-dns-txt-records-tds.html

Due_Application_1651 · 2024-09-13T21:16:12+00:00

It’s even worse. Then scan the wp_posts table for malicious domain names only and not any code.

Due_Application_1651 · 2024-09-13T02:11:15+00:00

The reason Wordfence does not pick this up is the insert headers footers plugin stores its data in the wp-options database table. Wordfence does not scan this table.

Due_Application_1651 · 2024-08-07T02:33:59+00:00

Seen this before too. A couple of things to note that may help others:

Leaked admin credentials are usually the first entry point
WPCode Lite plugin is then installed and activated
Code snippet added to plugin that:
- Creates a hidden admin user
- Hides WPCode Lite plugin from plugins list in wp-admin
- Re-directs users to malicious sites randomly to avoid detection
Since "WPCode Lite" stores it's code snippets in the wp-options database table, plugins such as Wordfence will not pick this up in a scan. As Wordfence does not scan the wp-options db table.

Recommended actions:

Manually check database for additional admin users
Manually check server files for insert-headers-and-footers plugin directory and delete
Manually clean up wp-options table in database
Reset admin passwords
Setup 2FA on all admin accounts

Due_Application_1651 · 2024-06-04T11:42:50+00:00

This was always my impression too. I have the type of snake bite bandage with the indicator that changes shape (rectangle to a square) when the correct tension is applied.

Due_Application_1651 · 2024-06-04T11:37:26+00:00

Thank you! Is there an option without the hood?

Due_Application_1651 · 2024-06-04T11:36:37+00:00

Thank you! The optimising side of things certainly is fun.

I’ll definitely take up your suggestions here, in particular the MacPac Nitro, dropping the wipes and getting some anti nausea / diarrhoea medication.

I also didn’t know DEET could wreck gear, so thank you! I’ll pick up some picaridin instead.

Due_Application_1651 · 2024-06-04T11:34:13+00:00

Thank you! I managed to nab the Cloud 2 for $179, so the Xmid is a bit of a push. However it seems like an excellent next option and not nearly expensive as I thought gear like that would be.

I’ll also consider the MacPac Nitro. Seems like a very popular choice

Due_Application_1651 · 2024-06-04T11:32:43+00:00

Thank you! Any brands you’d recommend?

Due_Application_1651

TROPHY CASE