Eli

If you unregistered then you know that your registration was in there, otherwise there would be nothing to unregister. This means that there is clearly something on your end blocking your site from confirming this registration which does exist and that you yourself can see on my site when you login.

This origin issue was resolved. If this is not just a caching issue and the Console tab does not show some kind of CSP or script blocking error then the solution I wrote to the original poster goes for you as well.

Please contact me directly for support relating to your personal registration details and I can help YOU resolve your unique issue with your registration.

eli AT gotmls DOT net

Hi Bruno,
Thanks for reporting this and including the entire contents of the file so that I could make a determination on this issue.

After reviewing the way this function is rewriting those encoded file I have confirmed that it is not a threat. I will add this False Positive to my whitelist so that it will not be detected as a known threat in the future.

Yes, that means that the security token that was used to start the scan had expired by the time you came back to view the results. This is rare and usually just means that you will need to restart the scan and try again. If it happens again then please contact me directly with more details and I can help you troubleshoot the cause of this issue.

eli AT gotmls DOT net

Thank you for sending me that file, it is actually nothing at all like those files with the same name that I found in the free versions of that plugin. I was able to confirm that although they are passing a Hex encoded string to a dynamic function (a function called using a variable name), they are not using it in a malicious way so this is in fact a false positive.

I have updated my definitions for this threat so as to not include the code in this file. Thanks again for taking the time to bring this to my attention and get me the information needed to confirm and fix the issue.

Ok, something does not add up and your screenshot finally gave me a clue. As I said, I have downloaded and tested both of the wpvivid-backup plugins available on the WordPress Plugin Repository, and they both have a Middleware.php file, but they also both scan fine with no threats found. It looks like you have the Pro version and that version of the plugin has another file called Middleware.php with totally different contents then I have yet to see. Can you please send me that whole files so that I can see what this $handler function is and update the definitions if it’s safe?

I don’t think this is a false positive. The code that you posted a link to does in fact appear safe, but when I scanned that sample with my plugin it also was not detected as a known threat. This leads me to suspect that the Middleware.php file on your site is actually infected with some kind of malware injection.

Have you compared your file to the sample that you have supplied a link to here?

Have you clicked on this Middleware.php file when it came up in the scan results to see the contents of the file and highlight the potential threat in the code?

Please do this and let me know what you find. If there is a malicious code injection in that file my plugin can automatically remove it for you, thus restoring the file to it’s original state with only the intended code within it.

These two reports differ primarily because the SiteLock report is scanning URLs that are visible from the outside of the site and the Bluehost report is from files that were scanned on the server. These two reports might be referring to the same infection but the file scan is more helpful and useful is you want to fix the issue.

My plugin scans the contents of the file, much like the Bluehost scan but it also gives you the option to automatically fix those files that it finds to contain malicious code. In fixing these files my plugin will remove the malicious code while leaving the remaining code in the file to preserve the functionality of the site. If you were to delete some of those theme files then it would likely break your theme, so removing only the injected code is better.

It is possible (even likely) that there is a real infection here. It is also quite possible that the infection has been there for years and Bluehost only just discovered it when you asked them for support and the tech decided to run a scan. Have you tried my plugin yet? If you install and register my plugin and then run the complete scan I believe it should solve this issue for you.

Please let me know if you need any more help.