Support » Fixing WordPress » How identify plugin which change my core files?

  • [ Moderator note: moved to Fixing WordPress. ]

    Hi, is there any way to identify a script that changes my core files?

    This is report from Wordfence which periodically happens on my website:

    File appears to be malicious: wp-includes/registration-functions.php
    Filename:                     wp-includes/registration-functions.php
    File type:                    Core
    Issue first detected:         1 min ago.
    Severity:                     Critical
    Status                        New
    This file appears to be installed by a hacker to perform 
    malicious activity. If you know about this file you can choose to ignore it 
    to exclude it from future scans. The text we found in this file 
    that matches a known malicious file is: "${"\x47\x4c\x4fB\x41\x4c\x53"}". 
    The infection type is: Backdoor:PHP/kidslug.

    I still restore it to original version but in few days/weeks it is back.
    My installed plugins:

    Easy FancyBox
    Footer Text
    Google Analytics Dashboard for WP
    Google Photos embed
    Idea Factory
    Postman SMTP
    PWA+PHP Picasa Web Albums for WordPress
    Responsive Image Maps
    Simple Custom CSS and JS
    SQL Executioner
    UpdraftPlus – Backup/Restore
    Wordfence Security
    WP Crontrol

    Thanks for advice

    • This topic was modified 2 years, 8 months ago by atiris.
    • This topic was modified 2 years, 8 months ago by Jan Dembowski.
Viewing 1 replies (of 1 total)
  • Moderator Steve Stern


    Support Team Volunteer

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri, SiteLock and Wordfence are a few.

Viewing 1 replies (of 1 total)
  • The topic ‘How identify plugin which change my core files?’ is closed to new replies.