Malware: Cache Performance Helper

Cezar Ayran
(@ayrancd)

4 months, 1 week ago
Many of my clients are being infected and this plugin is being installed to all of them.
```
Plugin Name: Cache Performance Helper
Description: Improves cache performance and optimization
Version: 2.4.1
Author: Developer
License: GPL-2.0+
```
I couldn’t figure out what plugin could be leaving the door open, the theme is the same (Avada) which I think it is fine but there’s something else leaving the back door open. Anyone else having the same issue?

We have another topic from this website but I am moving it to wp.org https://wordpress.com/forums/topic/tons-of-wp-website-being-infected/#post-4097247

Viewing 5 replies - 1 through 5 (of 5 total)

Moderator threadi
(@threadi)

4 months, 1 week ago

My recommendation: first read this article:

FAQ My site was hacked

After that I would recommend checking whether you still have a clean backup. If necessary, ask the support of your hoster. If so, delete all files and the database and restore the backup. Then change all access data in the hosting (also FTP, hosting login ..).

So if you still have a clean backup of your website, use that.

It is difficult to investigate where a hack came from. In addition to the plugins and themes used, the hosting itself can also be the cause. An insecure server configuration where multiple websites can see each other can be really annoying. Insecure passwords for hosting, FTP, or other access points can also be harmful. If you want to investigate the details, look at the modification times and perform a log file analysis. You may then find clues as to how this ominous plugin (which I’ve never heard of, by the way, but which sounds strange even from its name) got into the project. You can often hire someone to perform such analyses, but you should expect to pay a hefty fee, as it is not an easy task.

Otherwise, your only option is as mentioned above: restore the project cleanly, install all outstanding updates, possibly install a security plugin (see notes here), and pay more attention to the project in the future by maintaining it regularly.

Alice Farrelly
(@alicemaywebdesign)

4 months, 1 week ago

There definitely doesn’t seem to be any plugins in common across our various sites.
I would be interested if anyone does find what the vulnerability was

Moderator Yui
(@fierevere)

永子

4 months, 1 week ago

@alicemaywebdesign It can be also a custom plugin or its very common to mask malware under some common/generic names.

Also note that vulnerability details, attack vectors, exploits and malware code are not to be shared on ww.wp.xz.cn forums.
Thread Starter Cezar Ayran
(@ayrancd)

4 months, 1 week ago
@fierevere @threadi

We have clients that also use Sucuri to scan files and database and as soon as the fake plugin is removed, nothing else can be found. Today I’ve removed that plugin from 3 websites so far, it is probably over 20 since last week. I doubt it is just a cleaning and restoring backup, there’s something, somewhere… more users are reporting the same issue and we are NOT using the same plugins and themes which leads us to a WP Core thing that needs to be checked.

Also different hostings, no custom PHP code or plugin.
- This reply was modified 4 months, 1 week ago by Cezar Ayran.
Moderator threadi
(@threadi)

4 months, 1 week ago

Using a clean backup and then updating all components of the project will result in a clean project. This is the most sensible way to restore your project after a hack, without a huge amount of effort.

Please also note @fierevere ‘s comment:

So note that vulnerability details, attack vectors, exploits, and malware code are not to be shared on ww.wp.xz.cn forums.

I am therefore closing this topic.