Title: Suspicious Code in plugin files Last modified: August 31, 2016 --- # Suspicious Code in plugin files * Resolved [edtorrey](https://wordpress.org/support/users/edtorrey/) * (@edtorrey) * [10 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/) * I use Wordfence security software to scan my site. Two MailPoet files showed in today’s scan. * My MailPoet is Version 2.6.19. * Are these filenames valid for the plugin? Are the data valid that are shown In the details provided below? * Details follow. * Summary of suspicious files: * File contains suspected malware URL: /home/hcwg/ public_html/dev/wp-content/plugins/wysija-newsletters/helpers/back.php * File contains suspected malware URL: /home/hcwg/public_html/dev/wp-content/plugins/ wysija-newsletters/add-ons/add-ons-list.php * Details for each follow: ********* first file ********* /home/hcwg/public_html/ dev/wp-content/plugins/wysija-newsletters/helpers/back.php Filename: dev/wp-content/ plugins/wysija-newsletters/helpers/back.php Bad URL: [http://clicky.me/wp-reviews](http://clicky.me/wp-reviews) File type: Not a core, theme or plugin file. Issue first detected: 1 hour 30 mins ago. Severity: Critical Status New This file contains a suspected malware URL listed on Google’s list of malware sites. Wordfence decodes base64 when scanning files so the URL may not be visible if you view this file. The URL is: [http://clicky.me/wp-reviews](http://clicky.me/wp-reviews)– More info available at Google Safe Browsing diagnostic page.********* end first file ***** ********* second file ********* /home/hcwg/public_html/dev/wp-content/ plugins/wysija-newsletters/add-ons/add-ons-list.php Filename: dev/wp-content/ plugins/wysija-newsletters/add-ons/add-ons-list.php Bad URL: [http://clicky.me/woocommerce-autoresponder](http://clicky.me/woocommerce-autoresponder) File type: Not a core, theme or plugin file. Issue first detected: 1 hour 30 mins ago. Severity: Critical Status New This file contains a suspected malware URL listed on Google’s list of malware sites. Wordfence decodes base64 when scanning files so the URL may not be visible if you view this file. The URL is: [http://clicky.me/woocommerce-autoresponder](http://clicky.me/woocommerce-autoresponder)– More info available at Google Safe Browsing diagnostic page. ********* end second file ***** * [https://wordpress.org/plugins/wysija-newsletters/](https://wordpress.org/plugins/wysija-newsletters/) Viewing 7 replies - 1 through 7 (of 7 total) * [Wysija](https://wordpress.org/support/users/wysija/) * (@wysija) * [10 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/#post-6912244) * Please deactivate and delete your MailPoet and then install it again. Don’t worry, you won’t lose any data. * Thread Starter [edtorrey](https://wordpress.org/support/users/edtorrey/) * (@edtorrey) * [10 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/#post-6912248) * The uninstall/reinstall did not clear the Wordfence Security alert for the web site address in your files that are listed by Google as a malware web site. * Marking permissions on the files to disable them causes your plugin to malfunction. * Please advise corrective action. * [Thomas Blomberg](https://wordpress.org/support/users/thomasdk81/) * (@thomasdk81) * [10 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/#post-6912253) * Wordfence is marking the URL “[http://clicky.me/wp-reviews”](http://clicky.me/wp-reviews”); as bad. Therefore sending a “File contains suspected malware URL” notice. * Thread Starter [edtorrey](https://wordpress.org/support/users/edtorrey/) * (@edtorrey) * [10 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/#post-6912322) * Thomas, thank you for the comment. I get what you’re saying and that’s what the scan notice says too. I fully understand the trigger and how it’s determined. * The question is to MailPoet authors – a site flagged by Google as malware is included by MailPoet authors. Why? Now that you have the notice, what are you doing about it? * I don’t know the design of the code to edit it and neutralize the risk. Thus my inquiry. * Finally, in background, three times last fall another of my commercial sites that needs to be open to global customers was hacked resulting in the hosting service shutting it down. Wordfence flagged the files similar to above, and we“ trusted” the plugin provider. Turned out to be bad advice, as two more times the site was affected. * Mailpoet designers, I want to trust your code, but a flagged entry, seemingly benign in relationship to what the code is otherwise needing to do, and thus probably expendable, should be removed or replaced with values not flagged by Google. * Please advise * Thread Starter [edtorrey](https://wordpress.org/support/users/edtorrey/) * (@edtorrey) * [10 years, 4 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/#post-6912376) * Will there be any further information from you on this item? * [Michael Douglass](https://wordpress.org/support/users/michael-douglass/) * (@michael-douglass) * [10 years, 4 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/#post-6912378) * Hi, I potentially have the same issue, or at least similar. I have never had a problem with Mailpoet, however two days ago I made a change to the Mailpoet newsletter signup form on our site and our entire site went down. My site went down, and I could not log into the WordPress back-end, nor cpanel. My web domain host said that there was something suspicious in the Mailpoet plugin that caused it (or my site) to be firewalled. In order to get my site up again, they made an allowance in the firewall, however noted that this has reduced security, and they also mentioned something about visitors being locked out of the site. I have now disabled the Mailpoet plugins (Mailpoet Newsletters and Mailpoet Newsletters Premium) hoping that the plugin will be fixed. I note it is not noted as being compatible with the latest wordpress or not, not sure if the issue resides there. Anyway I am worried about deleting and reinstalling the plugins in case it re- triggers my being locked out of the site entirely (www.bioag.com.au). Hope you can help. At the moment we have broken links pointing to our newsletter signup form, and are unable to send anything to our database of contacts. Regards Michael * [Wysija](https://wordpress.org/support/users/wysija/) * (@wysija) * [10 years, 4 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/#post-6912381) * [@edtorrey](https://wordpress.org/support/users/edtorrey/) that website is not present in our code. Your website was infected and then this malware infected MailPoet’s files. I suggest you run a Sucuri Site Check in your website: [https://sitecheck.sucuri.net/](https://sitecheck.sucuri.net/) Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘Suspicious Code in plugin files’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/wysija-newsletters_ffddcc.svg) * [MailPoet Newsletters (Previous)](https://wordpress.org/plugins/wysija-newsletters/) * [Support Threads](https://wordpress.org/support/plugin/wysija-newsletters/) * [Active Topics](https://wordpress.org/support/plugin/wysija-newsletters/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wysija-newsletters/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wysija-newsletters/reviews/) * 7 replies * 4 participants * Last reply from: [Wysija](https://wordpress.org/support/users/wysija/) * Last activity: [10 years, 4 months ago](https://wordpress.org/support/topic/suspicious-code-in-plugin-files/#post-6912381) * Status: resolved