Title: Loader.php modified with backdoor
Last modified: June 5, 2024

---

# Loader.php modified with backdoor

 *  Resolved [cannahealthamsterdam](https://wordpress.org/support/users/cannahealthamsterdam/)
 * (@cannahealthamsterdam)
 * [2 years ago](https://wordpress.org/support/topic/loader-php-modified-with-backdoor/)
 * According to wordfence I discovered a backdoor on the loader.php this afternoon.
   Not sure if it’s due to plugin vulnerability?
 * If providing the code helps let me know, I made a backup of the file before fixing
   it.

Viewing 6 replies - 1 through 6 (of 6 total)

 *  Plugin Support [James Osborne](https://wordpress.org/support/users/jamesosborne/)
 * (@jamesosborne)
 * [2 years ago](https://wordpress.org/support/topic/loader-php-modified-with-backdoor/#post-17804469)
 * Thanks for sharing [@cannahealthamsterdam](https://wordpress.org/support/users/cannahealthamsterdam/).
   We’re not aware of any vulnerability of the loader.php file within Site Kit, 
   but please go share any findings and we’d be happy to review. Note that if you
   feel there may be a compromised file, you can use the WordFence or other plugins
   to compare and check for any edits to the [standard loader.php file within Site Kit](https://github.com/google/site-kit-wp/blob/90205bbe48900b386b18984ec68bd8940a9962c8/includes/loader.php).
 * Feel free to share any findings here or [preferably via this form](https://docs.google.com/forms/d/1lhjns2K7c0Ny7ME4gxTcsnYtNUtcMr8BvFpPQi23Y1E/),
   so we can also review your WordPress environment to see if we notice anything.
 * Note also that I performed a scan on a disposable WordPress site using the free
   version of Wordfence just now, and in my case [I didn’t encounter any issues or flags or concern](https://i.imgur.com/ig3q2vJ.png).
 * Let me know if you have any questions with the above. Thank you!
 *  Thread Starter [cannahealthamsterdam](https://wordpress.org/support/users/cannahealthamsterdam/)
 * (@cannahealthamsterdam)
 * [2 years ago](https://wordpress.org/support/topic/loader-php-modified-with-backdoor/#post-17805979)
 * Submitted the form twice, on the second time I included the code found on the
   bottom of loader.php
 *  Plugin Support [James Osborne](https://wordpress.org/support/users/jamesosborne/)
 * (@jamesosborne)
 * [2 years ago](https://wordpress.org/support/topic/loader-php-modified-with-backdoor/#post-17808653)
 * Appreciate you sharing this update [@cannahealthamsterdam](https://wordpress.org/support/users/cannahealthamsterdam/).
   From reviewing the details you share I don’t see anything obvious causing the
   alert in WordFence. Do you have any malware scanner installed at host level? 
   If so please perform a scan there. Before doing, in the event your site was compromised,
   you may wish to perform the following steps:
    1. Install and activate th[e Health Check & Troubleshooting plugin](https://wordpress.org/plugins/health-check).
    2. Navigate to Tools > Health Check > “More Icon” > Tools ([screenshot](https://i.imgur.com/iPSqyw5.png)).
    3. [Check the file integrity](https://i.imgur.com/5G8GXWG.png)
    4. After doing so, please share any findings from here.
    5. Should you find any modified files, please uninstall and reinstall Site Kit (
       no need to disconnect or reset first)
    6. Reinstall WordPress ([Dashboard > Updates > Reinstall](https://i.imgur.com/OSpTc44.png))
    7. Performance another WordFence check
 * Let me know if you have any questions with the above. Note also that I will check
   your references with the team.
 * You may also wish to check another security plugin that can provide their own
   scans.
 *  Thread Starter [cannahealthamsterdam](https://wordpress.org/support/users/cannahealthamsterdam/)
 * (@cannahealthamsterdam)
 * [2 years ago](https://wordpress.org/support/topic/loader-php-modified-with-backdoor/#post-17808712)
 * This is the [result](https://imgur.com/a/FEwqDit) of the integrity checks – is
   this normal?
 * I have imunify on plesk which says site is clean. – just to be clear after finding
   [this code ](https://imgur.com/a/IMdGHlP) on the bottom of loader.php I did clean
   it immediately with wordfence after it discovered it.
 * not sure how this might have been added.
 *  Plugin Support [James Osborne](https://wordpress.org/support/users/jamesosborne/)
 * (@jamesosborne)
 * [2 years ago](https://wordpress.org/support/topic/loader-php-modified-with-backdoor/#post-17808742)
 * The file integrity files look fine to me. The wordfence-waf.php file does seem
   to [be a valid file inserted via WordPress](https://www.wordfence.com/help/firewall/optimizing-the-firewall/troubleshooting/#:~:text=Firewall%20initialization%20file%20(-,wordfence%2Dwaf.php),-.%20Depending%20on%20server).
   Great call installing imunify also, which is great to determining issues on sites.
 * > I have imunify on plesk which says site is clean. – just to be clear after 
   > finding [this code ](https://imgur.com/a/IMdGHlP)on the bottom of loader.php
   > I did clean it immediately with wordfence after it discovered it.
 * Thanks for sharing. That code added to the loader.php file is not part of the
   [standard loader.php file within Site Kit](https://github.com/google/site-kit-wp/blob/7f813a1c1d1ac4027d37eaf83eef47c064affea3/includes/loader.php).
   While I’m not a security expert, this may have been a file overwritten if your
   site was compromised. I also can’t be sure what may have occurred. Just to confirm,
   you no longer encounter any notices after removing this snippet or after uninstalling
   and reinstalling Site Kit?
 * Let me know if you have any further questions with the above.
 *  Plugin Support [Adam Dunnage](https://wordpress.org/support/users/adamdunnage/)
 * (@adamdunnage)
 * [1 year, 11 months ago](https://wordpress.org/support/topic/loader-php-modified-with-backdoor/#post-17825203)
 * As we didn’t receive a response I’ll mark this as resolved. Feel free to [open a new support topic](https://wordpress.org/support/plugin/google-site-kit/#new-post)
   if you continue to encounter issues, or reopen this topic and we’d be happy to
   assist.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Loader.php modified with backdoor’ is closed to new replies.

 * ![](https://ps.w.org/google-site-kit/assets/icon-256x256.png?rev=3141863)
 * [Site Kit by Google - Analytics, Search Console, AdSense, Speed](https://wordpress.org/plugins/google-site-kit/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/google-site-kit/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/google-site-kit/)
 * [Active Topics](https://wordpress.org/support/plugin/google-site-kit/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/google-site-kit/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/google-site-kit/reviews/)

## Tags

 * [backdoor](https://wordpress.org/support/topic-tag/backdoor/)
 * [hacked](https://wordpress.org/support/topic-tag/hacked/)

 * 7 replies
 * 3 participants
 * Last reply from: [Adam Dunnage](https://wordpress.org/support/users/adamdunnage/)
 * Last activity: [1 year, 11 months ago](https://wordpress.org/support/topic/loader-php-modified-with-backdoor/#post-17825203)
 * Status: resolved