Malware alter with Siteground scanner

  • Resolved cmarcc

    (@cmarcc)


    1 week ago

    Hi,
    When installing the plugin on my website, it crashed instantly, so I had to delete it manually via FTP. I received an automated email from Siteground saying that there was a malware in the plugin and they had changed the permissions of the file (presumably the reason why my website crashed). I don’t remember the actual file name that was an issue with their site scanner, but it contained ‘handler’ in it. Not sure if this is a false alert or not but wanted to let you know. Thank you.

    • This topic was modified 1 week ago by cmarcc.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author wpazleen

    (@wpazleen)

    1 week ago

    Hi,

    Thank you for reporting this.

    We have manually reviewed the plugin codebase, performed extensive testing on our end, and also checked the plugin using WordPress’s official Plugin Check (PCP) tool. So far, we have not encountered any security issues, malware detections, or suspicious files that would explain the behavior you experienced.

    Based on our review, we believe the SiteGround malware alert may have been a false positive. One possible cause is the use of the fread() function within the plugin’s file download handler, as some automated security scanners can occasionally flag legitimate file handling operations as suspicious. However, we have not found any actual malware or malicious code within the plugin.

    The plugin is currently being used by many users for website migrations across a wide range of hosting providers and environments. This is the first report we have received of a malware-related detection, which makes us believe this is very likely a false positive. Nevertheless, we would like to review the exact details from SiteGround to fully understand what triggered the alert and ensure there are no compatibility issues with their scanner.

    Would it be possible for you to contact SiteGround support and request the exact details of the detection? In particular, it would be very helpful if they could provide:

    • The exact file name that was flagged.
    • The malware/security signature or rule that triggered the detection.
    • Any scan logs, screenshots, or error messages related to the issue.

    You mentioned that the file name may have contained “handler”, which gives us a starting point, but we would need the complete details to properly investigate.

    Thank you for bringing this to our attention, and we look forward to your update.

    • This reply was modified 1 week ago by wpazleen.
    • This reply was modified 1 week ago by wpazleen.
    Plugin Author wpazleen

    (@wpazleen)

    6 days, 18 hours ago

    Hi @cmarcc,
    Thank you for your patience while we investigated this further.
    Following our previous reply, our team conducted a deeper review of the codebase and we were able to identify the exact cause of the SiteGround alert.

    Here is exactly what happened and why it was a false positive:
    Our plugin includes a built-in security feature specifically designed to protect your site during theme and plugin imports, as we have dedicated Theme and Plugin Import/Export feature. When you import a Theme/Plugin ZIP file, the plugin automatically scans its contents and blocks any files that contain known dangerous PHP functions. This is intentional behavior to prevent nulled or malicious themes/plugins from being installed on your site.

    The problem was that in order to scan for these dangerous strings, our code had to list them inside a security check array. SiteGround’s automated scanner read the source code, saw the literal string and immediately flagged the file – without understanding that this code existed to DETECT and BLOCK that very function, not to use it.

    In other words, our security feature was mistaken for a threat by a scanner that was not reading the context, only the keywords.

    What we have done to resolve this:
    We have updated the plugin so that those pattern strings are now written in a way that will no longer trigger static code scanners, while the underlying security check continues to work exactly as before. The fix has been applied and the updated version is now available.

    We sincerely apologize for the trouble this caused – especially having to manually delete the plugin via FTP and dealing with the website crash. That was absolutely not the experience we want for our users.

    Please update to the latest version and you should have no further issues with SiteGround or any other hosting provider’s scanner. If you have any questions or need any assistance getting things set up again, please don’t hesitate to reach out – we are happy to help.

    Thank you again for your patience and for helping us make the plugin better.

    • This reply was modified 6 days, 18 hours ago by wpazleen.
    Thread Starter cmarcc

    (@cmarcc)

    5 days, 19 hours ago

    Hi,
    Thank you for the support and explanations, really appreciated.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.