If possible, could you please send me a copy of that report? If my plugin is insecure, I’d definitely like to get that resolved.
2 days ago, the server where I have my website (www.ionos.es) sent me several emails informing me that its system had detected malicious code and they referred me to a .log file so that I could delete or clean those files.
That same day I decide to delete all the content and reinstall a backup with wp 5.7.1 and all the updated plugins.
I call the server in case they can check the web and they tell me that the system does it automatically every x time and that if it is clean I will not receive any more reports.
After a day another notice comes to me and looking at the .log I suspect that the problem comes from the nav-menu-collapse plugin. I don’t think the .log will help you much to solve the problem, I have removed the plugin and for the moment everything is fine.
I hope you find a solution.
This is not a review; I’m moving to to this plugin’s support area.
Thank you, @sterndata!
Looking at the log, none of the files in question are included with the plugin. Luckily for me, it doesn’t look like my plugin is the issue. I’m not a security expert, but I believe you should change all of your passwords (hosting, WP, etc.) and remove all infected files from the server. You may also want to install Wordfence and run a scan to find any other possible infections.
I know that the malicious .log files are not from your plugin, they are infected, but I believe that somehow the malware has used the plugin as a gateway. I have already commented that I have deleted all the content of the web (everything, including the database) and I have installed a backup copy from scratch eliminating its plugin and my website is clean of problems.
I cannot 100% say that the problem is your plugin because I am not a specialist but in the .log file your plugin only appears as infected by one of those malicious files.
If you are sure that your plugin is 100% safe without the need to install Wordfence, I am sorry I made the comment, I thought it was helping.
I follow WordPress security guidelines as closely as possible during development, but I’m not a security specialist either. 🙂 I would still recommend a Wordfence scan to see if there are any other malicious files hiding in the site.