Title: Attempted Malware Insertion via POST
Last modified: July 2, 2026

---

# Attempted Malware Insertion via POST

 *  [sfrangos](https://wordpress.org/support/users/sfrangos/)
 * (@sfrangos)
 * [3 days ago](https://wordpress.org/support/topic/attempted-malware-insertion-via-post/)
 * Hi – Our client’s server level firewall protection triggered by a malicious attempted
   php malware injection. While this was caught by server software, my question 
   is why did WordFence not detect it at the WordPress level? No alerts were sent
   or showing on the dashboard.
   Question: We have the free version of WordFence 
   installed, so what settings would you recommend to combat this (see details below),
   and if you recommend a paid plan… what level?DETAILS
    - At **2026-06-24 06:26:18 UTC**, the server received an external **POST** request
      to:
       * POST /wp-admin/admin-ajax.php HTTP/1.1
       * source IP: **124.164.186.54**
       * host/vhost: **[ Link moved to link field where it belongs ]**
       * HTTP response: **403** (request rejected)
    - During processing of that request, PHP temporarily wrote the uploaded content
      to:
       * /tmp/php9QQNai
       * Microsoft Defender for Endpoint detected the file as **Backdoor:PHP/ReplmentStrshl.
         A!dha** at write time.
    - Defender telemetry indicates the file was **not executing** when detected,
      and the file was removed immediately afterward
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fattempted-malware-insertion-via-post%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 1 replies (of 1 total)

 *  [grandmabear](https://wordpress.org/support/users/grandmabear/)
 * (@grandmabear)
 * [2 days ago](https://wordpress.org/support/topic/attempted-malware-insertion-via-post/#post-18955449)
 *  I had a similar issue where a new post was inserted within the post section 
   of my websitestating variations of the message “ open channels” “ backtalk on
   Support” “ bridging, education, and industry in WordPress ecosystem” “ decision-
   making, reputation and risk” “ can’t depend on charity” there were no word fence
   notifications and I did run another scan, but nothing showed up. There were no
   other new users.

Viewing 1 replies (of 1 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fattempted-malware-insertion-via-post%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [hacked website](https://wordpress.org/support/topic-tag/hacked-website/)

 * 1 reply
 * 2 participants
 * Last reply from: [grandmabear](https://wordpress.org/support/users/grandmabear/)
 * Last activity: [2 days ago](https://wordpress.org/support/topic/attempted-malware-insertion-via-post/#post-18955449)
 * Status: not resolved