Support » Plugin: Wordfence Security - Firewall & Malware Scan » Malware Injected via Wordfence Plugin -Broke my websites

  • amazinggracepublishing

    (@amazinggracepublishing)


    Hi Wordfence,

    My developer finished uploading my new website to my cloud server last Thursday, November 1, he then installed Wordfence plugin. All was well when I last checked on Friday, November 2. On Monday, November 5, he contacted me and asked if I had made any changes to the website. I had never touched the admin of the website.

    I immediately checked the website and there was the same error on the new website and ALL the other websites on the server: Parse error: syntax error, unexpected ‘text’ (T_STRING), expecting ‘,’ or ‘) /srv/users/serverpilot/apps/WEBSITENAME(APP)NAMEGOESHERE/public/wp-includes/class-oembed.php on line 461.

    I hired a specialist developer in cloud servers and he responded:

    “Mam, this issue was not caused by Woocommerce or your theme compatibility. I can see your developer installed a security plugins wordfence which injected a site malware and infected all your websites. The hacker added some custom code very badly and not possible to restore the original code without backup. https://newwebsiteurlgoeshere.com/wp-admin/admin.php?page=WordfenceScan”.

    He sent me a log of all three of my website that displays extensive malware in every code and every plugin for the websites. He was able to restore the wp-admin access to the sites and get the website to load, but they load severely slow and show damages in the design and images. The malware is still present because he tried removing it from one website and distorted it, so I stopped him from removed the malware from any other website.

    Please assist me, I will privately email you my urls and server information is you need this.

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Hi @amazinggracepublishing,

    The actual Wordfence plugin is hosted here, on WordPress.org. Anyone can go and look at our source code to verify what it contains and the Wordfence plugin is installed on more than 1 million sites.

    If the Wordfence version you installed caused an infection, that must have been a copy that you had downloaded from somewhere else on the internet. A copy not distributed by us. I would recommend that you first check with your developer to make sure that’s not what happened.

    If you want us to have a look at the malware, zip it up and email to samples@wordfence.com. Include a link tho this forum post for reference.

    Thanks!

    Thread Starter amazinggracepublishing

    (@amazinggracepublishing)

    Hello again Wordfence,

    On my investigation, I discovered that the Wordfence plugin was hacked unto (into) my server. The Wordfence plugin injected viruses unto all my website via my server and changed my core WordPress files and plugins.

    I sent Wordfence several emails with log files and other information regarding this plugin hack onto my server and website, can you please review and respond with exactly where you are in the process of reviewing my emails. I never heard of Wordfence before the plugin “appeared” on my website and infected it.

    Hi again @amazinggracepublishing,
    It sounds like someone may have NAMED their malware after Wordfence? As I said before the Wordfence plugin itself is hosted here on WordPress.org and does not contain viruses (as anyone would be able to check for themselves, since the code is openly available).

    I am not aware of any emails we’ve received from you. To which email address did you send them?

    Thread Starter amazinggracepublishing

    (@amazinggracepublishing)

    Hi Peter,

    Thank you for your response,

    “Change your passwords and admin names, check the logs, compare with the backups when the changes did happen.”

    I did change the logins for all our websites, in addition to the server dashboard login and the server root login. I hired a developer to clean up the virus and remove the plugin, however, it appeared again on one website.

    I am not sure how this is happening and where is the breach, but I have sent Wordfence sufficient information for them to investigate. I never heard of Wordfence before this, and I do not know what the original plugin design or dashboard should look like to do a comparison. I will reach out again to my cloud server because they are also oblivious as to what is going on.

    Wordfence however, should investigate and answer me responsibly.

    Regards,
    Amazing Grace Publishing

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Malware Injected via Wordfence Plugin -Broke my websites’ is closed to new replies.