Avoid Confusing the Cause and Effect of a Hacked WordPress Website by Having It Properly Cleaned
A recent review for the WordPress plugin Protect uploads claimed the plugin was a virus and recently had malicious code added to it:
Do not download. The plugin has been changed not too long ago and it now infects your wordpress installation, and possible spreads itself to other sites if you are on shared hosting.
There have been several recent updates to the plugin, so at least that part of the claim is true. The oldest of those was on August 13 and before that the plugin was last updated in May 2020, and yet a review on August 10 claimed “this plugin is malware”.
In between those reviews, on August 22 someone made specific claims as to what the maliciousness of the plugin was supposed to be doing:
This extension is used to hack WordPress and change .htaccess, plugin.php, upload files and delete files and extension This extension create admin on your WordPress
There are two more reviews with similar claims. There is also a support forum topic from September 2020 claiming the plugin was flagged as malware.
Despite those claims, the plugin remains available in WordPress’ plugin directory. So what is going on?
In reviewing the plugins current code, as well as the changes made in recent months, we couldn’t find anything that matches up with the claims being made.
What appears to be going on is that the people claiming the plugin contains malware are confusing this plugin with a malicious plugin with the same name being added to websites after they have been hacked.
That is a problem for others, as it is leading to what appear to be false claims made about the security of this plugin. It is a bigger problem for those folks, as it would appear they are confusing an effect of a hack, the addition of the malicious plugin, with the cause of it. Unless the cause of the hack was indirectly addressed, the websites are likely open to being hacked again.
That is something that should have been caught if a proper hack cleanup was done. As comparing installed plugin files to a clean copy of them is important to make sure that any malicious code on the website has been identified, because that information can be used to check custom files to make sure they don’t contain it.
Trying to figure out how the website has been hacked is also an important part of the cleanup, not only to try to address the cause, but that often helps to make sure all of that has been caught.
Obviously not everyone can afford to do that, but even those that can appear to not be having that done, with sometimes serious consequences. You do want to shop around, as some well-known providers are charging quite a bit and not delivering.