UpdraftPlus installed Malware on my site!
-
I swear I’m not trying to defame UpdraftPlus. Based on the great reviews, I feel what happened to me was a fluke.
A couple months back, I installed UpdraftPlus (free version) on my WordPress.org site (I used https://wordpress.org/plugins/updraftplus/ to download). To my horror, immediately afterwards we started getting popup alerts that would redirect to spam sites when you clicked ‘Ok’.
I uninstalled UpdraftPlus but the problem persisted. Google yielded a link to someone with a similar problem – a reply told me where to find any extra files which may have been leftover after the uninstall. Sure enough, in that location I found some UpdraftPlus German language files remaining. As soon as I deleted these, the popups disappeared.
There is still one Updraft file remaining, but I didn’t have permission to delete it (I have to contact my host I believe).Now I’m in need of a WP backup, but I’m too scared to install another plugin. I’d really like to use UpdraftPlus because it’s highly reviewed (and free), but I don’t want to go through possible malware issues again and am scared to pull the trigger on a re-download.
Has anyone ever encountered this? Any ideas as to what could have happened and what I can do in the future to stay safe? Our WordPress, as well as most of our plugins, need to be updated for security, performance, etc. But it’s best practice to have backups before you update, so I feel I’m in a catch 22.
-
Thanks for all three of your replies.
@dnutbourne @davidanderson, do you guys have any good recommendations for scanning my site for malware? I’ll google it, but I’m curious as to your personal preferences. May involve another plugin, and we’re already running too many (21 active plugins), but perhaps that’s the best way.
@supporthero: The language files were either in /wp-content/languages, or in /wp-content/plugins/updraftplus/languages. I can’t be sure. I know that I uninstalled Updraft via the plugin’s dashboard, but when I dug further, those were still there. The filenames had Updraft in them and denoted that they were German Language files.
I still have leftover Updraft files in wp-content/updraft (index.html and web.config) – I’m unable to delete these via SFTP. It says ‘Permission Denied. Please contact your web hosting service provider for assistance’. Is this normal? Perhaps this one of our backup files that Updraft made.
@dnutbourne I’ve now deleted these files, scanned my site for malware using WordFence with no malware results coming back (our hosting environment is a linux box so not much in the way of virus scanning – we’re actually the host and our ‘host’ just owns the hardware).
I’ve re-installed updraftplus, activated it and backed up my site. No popup issues yet (last time it was immediate), but in my wp-content there is again an updraft folder which contains index.html and web.config.
Are you certain that web.config shouldn’t be here?
Also, I’m looking in my FTP and see that in the wp-content/plugins folder, I now have an updraftplus folder. But outside of this folder, I have several language files which look familiar to those that were causing the malware issue last time. Should these be here?
The files (in wp-content/plugins) are:
updraftplus-de_DE.mo
updraftplus-de_DE.po
updraftplus-es_ES.mo
updraftplus-es_ES.po
updraftplus-ro_RO.mo
updraftplus-ro_RO.poThanks so much for your help.
-
This reply was modified 8 years, 7 months ago by
.
-
This reply was modified 8 years, 7 months ago by
-
This reply was modified 8 years, 7 months ago by
-
This reply was modified 8 years, 7 months ago by
-
This reply was modified 8 years, 7 months ago by
-
This reply was modified 8 years, 7 months ago by
-
This reply was modified 8 years, 7 months ago by
-
This reply was modified 8 years, 7 months ago by
-
This reply was modified 8 years, 7 months ago by
-
This reply was modified 8 years, 7 months ago by
The topic ‘UpdraftPlus installed Malware on my site!’ is closed to new replies.
