-
Reed posted an update
WordPress Theme Malicious Code Injection after Core Update
Did anyone else notice malware being injected to your plugins folder after the most recent wp core update? The folder structure is [wp theme name]-wp-plugin/[wp theme name]-wp-plugin.php. This affected 2 of my sites and I’m trying to find the correlation between the sites that was infected. These two sites didn’t have hide my wp installed, but all my sites have Wordfence and they did not pick up the injection.
Anyway, to remove the malware, you have to delete the injections in 3 locations:
-
theme/functions.php – at the end of the file below where it says “do not add custom code here”
-
theme/[themename].theme – delete this file
3 plugin/[wp theme name]-wp-plugin – delete the entire folder.
I’ve seen a similar injection before and if it’s the same the malicious code uploads a very realistic fake chrome browser update screen over your homepage screen and when users click on the update button it downloads a file called update.js which injects a bunch of malware onto Windows computers. I’m by no means a pro at this, but I’ve lost sleep trying to fix this in the past so just passing on my knowledge. My sites are hosted by SiteGround, and a majority of my sites are not affected – just these two, so my theory is that it’s through a plug in update and not a hosting issue. It was actually SiteGround that picked up on the malicious code.
-
English 
French 
German 
Japanese 
Spanish 
Portuguese 
Chinese 
Arabic