Title: Need fake plugin hack file checked
Last modified: February 3, 2022

---

# Need fake plugin hack file checked

 *  Resolved [boblebad](https://wordpress.org/support/users/boblebad/)
 * (@boblebad)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/)
 * Hi
 * I woke up this morning finding out that a few hours earlier my site got a new“
   plugin” installed. If it wasn’t for Sucuri repoting the action i wouldn’t have
   discovered it, because i didn’t show on the list of plugins.
 * I have the file and i need someone to tell me what it does.
 * The problem is that i have a very clean site with only WP, Divi and Sucuri. I
   had the Customizer Reset plugin from wpzoom. I deleted that just for safety. 
   I didn’t need anymore anyway.
 * Everything was updated to newest version. There hasn’t been installed other plugins
   on it. Just a clean site with Divi.
 * ### This is not about that i have been hacked ###
 * I just need to find out what this “plugin” does, so i can find out how it came
   onto my site. There has/had to be a crack in the security. Where it came from
   so the hole can be closed.
 * So there’s three ways that it can have entered. WordPress 5.9, Divi, (+ the other
   auto-installed WP themes) and the Cuztomizer Reset plugin.
 * Of course Sucuri as well. I am in contact with them, and also Elegant Themes.
 * So what about WordPress, who deals with hacks and security and can take a look
   at the file and maybe see how it got onto the site, what it exploited – and of
   course to close the hole if it’s in WordPress itself ?
 * All the best
    Carsten
    -  This topic was modified 4 years, 4 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/).
      Reason: Moved to Fixing WordPress, this is not an Everything else WordPress
      topic

Viewing 15 replies - 1 through 15 (of 34 total)

1 [2](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/page/2/?output_format=md)

 *  Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/)
 * (@sterndata)
 * Volunteer Forum Moderator
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15325909)
 * WE really do not want you to post, or post a link to, malicious (or potentially
   malicious) code here. I suggest you contact Sucuri through their own web site,
   though if you’re not a paid customer, they probably will not check and explain
   the code.
 * Also, another possible vector is your hosting, either internally, through incomplete
   separation of sites on a shared host, or via ftp/sftp or other login option.
    -  This reply was modified 4 years, 4 months ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/).
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15325946)
 * Moved to Fixing WordPress, this is not an Everything else WordPress topic.
 * > I just need to find out what this “plugin” does
 * That part doesn’t really matter. It’s doing bad things and that’s academic at
   this point.
 * > so i can find out how it came onto my site.
 * _That’s_ the part that matter. How’d it get onto your site?
 * As Steve wrote, you may want to contact Sucuri or other sites/services like that.
   We don’t permit that conversation in these forums because it’s not safe and ultimately
   isn’t the problem that needs looking at.
 * The site was hacked and those doors need to be closed.
 * [https://wordpress.org/support/article/faq-my-site-was-hacked/](https://wordpress.org/support/article/faq-my-site-was-hacked/)
 * When you have successfully deloused your site then consider giving this a read
   too.
 * [https://wordpress.org/support/article/hardening-wordpress/](https://wordpress.org/support/article/hardening-wordpress/)
 *  Thread Starter [boblebad](https://wordpress.org/support/users/boblebad/)
 * (@boblebad)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15326209)
 * If you let me missread as you missread me 😉
 * I translate what you’re saying; You don’t care if this is the cause of WordPress
   itself.
 * I have a super clean site, so i know what has been going on there. That’s why
   i’m here.
 * There’s 3 ways as i wrote. WordPress is one, and it needs to be checked if it
   came through a crack in the security. That’s why i want soneone from WordPress
   to have a look at it.
 * And just to be clear; I wouldn’t even send it to anyone other than one at WP.
 * Why do i want to know what it does ?
 * To find out how it came onto my site. As written; There are 3 ways. What it does
   tells something about how it came on board.
 * And forgive for asking; How do you want me to close my site of from it when i
   don’t know where it came from, remembering how little that site has installed
   where it could enter from ?
 * I know the two links. I have read a lot more on security through .htaccess and
   have a good deal sealed that way. And again Sucuri gossiped about the installation
   of the so called plugin.
 * And thank you for your replies 🙂
 *  Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/)
 * (@sterndata)
 * Volunteer Forum Moderator
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15326223)
 * Assuming that it’s a “crack in security”, how would looking at a file added to
   your system tell us how it got there?
 * “I translate what you’re saying; You don’t care if this is the cause of WordPress
   itself.” That’s an assumption, and you know what they say about “assume”. 🙂 
   That’s not at all what Jan or I meant. If you want to gin something up, OK, but
   that’s not what we said, what we implied, or what you should infer.
 * For the record, to report a vuln in WP core, [https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/),
   or a plugin, [https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/](https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/)
 * They are not discussed publicly in these forums.
 *  Thread Starter [boblebad](https://wordpress.org/support/users/boblebad/)
 * (@boblebad)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15327124)
 * Hello [@sterndata](https://wordpress.org/support/users/sterndata/)
 * You’re missing the point here. This is a very clean site with only 3(4) parties
   involved.
 * Either WordPress has a problem, Elegant Themes with Divi or wpzoom with thier
   Customizer Reset plugin. Sucuri of course can be the problem(4), but that would
   be really bad.
 * So it’s a pretty clear-cut case to what needs to be investigated.
 * And for you not to acknowledge that there’s a problem here, is like suddenly 
   i stood in your house, you knew that every door and window was closed and locked,
   and the police telling you; Just sit back and relax, you let me out the door 
   again.
 * Wouldn’t you want to know how in the name i got in, so you could stop it from
   happening again ?
 * Regarding what it would help me to know what i does to figuring out how it got
   in.
 * Knowing what it does, will give me a much higher chance finding out what the 
   name of this thing is from the lists with the names from all sorts of hacks/viruses.
 * That will then make it a lot easier to find out how it got in, because of other
   lists which tells how many of these hacks/viruses are related to a specific point
   of entry.
 * And regarding you links, they point point to the wrong site:”For security issues
   with the self-hosted version of WordPress, submit a report at the WordPress HackerOne
   page.”
 * I have already written them and they have nothing to do with this.
 * And last, i don’t want to discuss what this thing does here, i want someone at
   WordPress to have a look at it and see if it could have found a crack in WP and
   got in – You know; it has happened before.
 * I want that hole locked, to stop people/sites getting hacked this way.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15327231)
 * No one is dismissing you here.
 * The right way to go about this is to follow the steps at [https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/)
 * Please read the page carefully, as it sounds like you had chosen the wrong option.
 *  Thread Starter [boblebad](https://wordpress.org/support/users/boblebad/)
 * (@boblebad)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15327339)
 * Hello [@macmanx](https://wordpress.org/support/users/macmanx/)
 * I have taken a screenshot of the section describing reporting security issues:
   [https://ibb.co/QYr0tF7](https://ibb.co/QYr0tF7)
 * Inserting the text here does not show what is links in the text, but here we 
   can read what it says and where to go. I have WordPress at a hosting company 
   here in Denmark.
 * —-
 *     ```
       If you are here to report any sort of security issue with a site hosted on <strong>WordPress.com</strong>, then please submit a report at the Automattic HackerOne page. If the issue you’re trying to report is on WordPress.com and is not a security issue, then please use their support forums instead.
   
       If you’re having an issue with your own self-hosted WordPress.org site that is <strong>not </strong>a security issue, then please use the WordPress.org support forums.
   
       For security issues with WordPress <strong>plugins</strong>, follow the information on Reporting Plugin Security Issues.
   
       For security issues with the <strong>self-hosted</strong> version of WordPress, submit a report at the WordPress HackerOne page. Include as much detail as you can. Please always use HackerOne instead of Core Trac, even if the vulnerability is only in trunk, or a beta/RC release, because there are some sites that run those in production.
       ```
   
 * ——
 * I hope you see the same thing as i, and that the choices i have here is pointing
   to HackerOne, as the other three relates to other scenarios.
 *  Thread Starter [boblebad](https://wordpress.org/support/users/boblebad/)
 * (@boblebad)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15327347)
 * Ohh, and under the “I have been hacked” section, you point to a plugin which 
   has not been tested with the last three major releases:
 * “This plugin hasn’t been tested with the latest 3 major releases of WordPress.
   It may no longer be maintained or supported and may have compatibility issues
   when used with more recent versions of WordPress.”
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15327374)
 * Under [https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#where-do-i-report-security-issues](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#where-do-i-report-security-issues)
   choose the 4th option:
 * > For security issues with the self-hosted version of WordPress, submit a report
   > at the WordPress HackerOne page. Include as much detail as you can. Please 
   > always use HackerOne instead of Core Trac, even if the vulnerability is only
   > in trunk, or a beta/RC release, because there are some sites that run those
   > in production.
 * which links to [https://hackerone.com/wordpress?type=team](https://hackerone.com/wordpress?type=team)
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15327382)
 * Thanks for the feedback on the “I’ve been hacked.” section, I’ll pass that along.
 * Everything else under that section is still valid.
 *  Thread Starter [boblebad](https://wordpress.org/support/users/boblebad/)
 * (@boblebad)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15328059)
 * Hello [@macmanx](https://wordpress.org/support/users/macmanx/)
 * Two things.
 * 1: I’m not a Hacker and i’m not a company who wnats to do something [https://ibb.co/xDh8qwN](https://ibb.co/xDh8qwN)
 * 2: Here’s the response i got back when i contacted them about my problem through
   contact form.
    ——
 * Hi Carsten,
 * I’m sorry to hear that you have been having trouble and need some assistance.
   Unfortunately, you were misrouted to HackerOne Support and we will not be able
   to assist with this experience.
 * HackerOne is a vulnerability disclosure company that established a bug bounty
   platform that connects businesses with security researchers. Companies hire​ 
   hackers through the platform as a reward for identifying vulnerabilities in their
   systems and products. The platform enables secure intelligence report sharing,
   payment, and a reputation system for ​ethical ​hackers.​ ​
 * Kindest Regards,
    Matt ——
 * So i don’t know what’s up or down, but something is clearly not the way it’s 
   layed out.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15330169)
 * It sounds like you contacted HackerOne’s support, not WordPress’s security team
   via their bug bounty program.
 * At [https://hackerone.com/wordpress?type=team](https://hackerone.com/wordpress?type=team)
   click the red “Submit report” button.
 *  Thread Starter [boblebad](https://wordpress.org/support/users/boblebad/)
 * (@boblebad)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15330298)
 * Hello again [@macmanx](https://wordpress.org/support/users/macmanx/)
 * Yes, and the image showed what i can chose between. I’m not a hacker, and i’m
   not a company who’s going to support them either. So i can’t really see how this
   fits with i want to submit an incident ?
 *  Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/)
 * (@otto42)
 * WordPress.org Admin
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/#post-15330326)
 * [@boblebad](https://wordpress.org/support/users/boblebad/)
 * What you’re reporting here is that somehow, bad code ended up on your site. This
   is understandably frustrating, however WordPress doesn’t run your site. You are
   correct that you could have been hacked through a bad plugin, or others may be
   correct that it was put there by some other method.
 * Looking at the bad plugin will give you no concrete information. You would need
   to look at the assorted server logs for that, and to do that, you need to contact
   your hosting service itself.
 * HackerOne is indeed not the correct place to report this, and we have no team
   here on WordPress.org that can examine your site for you. We make free software,
   we don’t control or otherwise have any power over your site.
 * If you do find a problem in WordPress itself, then the HackerOne is the place
   to report it, if you have found an actual bug to report.
 * If instead you find that the problem is through a plugin or theme, then [plugins@wordpress.org](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/plugins@wordpress.org?output_format=md)
   would like to hear from you about that issue.
 * However, if your site was indeed “pristine” then it’s unlikely that one of these
   are the attack vectors used. It’s more likely that you were hacked through your
   hosting service. Maybe the FTP door is open and a guessable password was used.
   Perhaps there is a flaw at the server level, or it’s on a shared hosting service
   that doesn’t have good intra-user security. There are many possibilities. Without
   asking your host itself and having them look at the server logs to find how it
   happened, you’ll probably be unable to find the source.
 * Sorry if that isn’t the answer you wanted to hear.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/page/2/#post-15330331)
 * Thanks for clarifying, Otto!
 * In this case then, carefully follow [this guide](https://wordpress.org/support/article/faq-my-site-was-hacked/).
   When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://wordpress.org/support/article/hardening-wordpress/)
   and [start backing up your site](https://wordpress.org/support/article/wordpress-backups/).

Viewing 15 replies - 1 through 15 (of 34 total)

1 [2](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/page/2/?output_format=md)

The topic ‘Need fake plugin hack file checked’ is closed to new replies.

## Tags

 * [hacked](https://wordpress.org/support/topic-tag/hacked/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 34 replies
 * 7 participants
 * Last reply from: [Jos Klever](https://wordpress.org/support/users/josklever/)
 * Last activity: [4 years, 4 months ago](https://wordpress.org/support/topic/need-fake-plugin-hack-file-checked/page/3/#post-15332116)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics