Title: Track down insecure plugin
Last modified: August 21, 2016

---

# Track down insecure plugin

 *  [seancho](https://wordpress.org/support/users/seancho/)
 * (@seancho)
 * [11 years, 11 months ago](https://wordpress.org/support/topic/track-down-insecure-plugin/)
 * Hi. Client WP website got hacked by cryptocurrency miners. Website is running
   a hodgepodge of old and new plugins, all as up-to-date as possible, but some 
   of them legacy, and I suspect one of them let the bad guys in. Question is, which
   one?
 * Intruders set up a root user crontab that downloaded perl mining scripts. I deleted
   the crontab and blocked all the outgoing urls and IP addresses, so if they try
   the same attack again, it wont work. But obviously that doesn’t prevent them 
   from doing anything else they want with root access to the server. So, question
   is, how do I figure out which plugin got them root access to set up the crontab?

Viewing 1 replies (of 1 total)

 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [11 years, 11 months ago](https://wordpress.org/support/topic/track-down-insecure-plugin/#post-5101493)
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Anything less will probably result in the hacker walking straight back into your
   site again.
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)

Viewing 1 replies (of 1 total)

The topic ‘Track down insecure plugin’ is closed to new replies.

## Tags

 * [hacked plugin](https://wordpress.org/support/topic-tag/hacked-plugin/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 1 reply
 * 2 participants
 * Last reply from: [esmi](https://wordpress.org/support/users/esmi/)
 * Last activity: [11 years, 11 months ago](https://wordpress.org/support/topic/track-down-insecure-plugin/#post-5101493)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics