What should I do if malware is detected in my UpdraftPlus files?

If your malware scanner or other security detects possible malware in your UpdraftPlus files, you should take the following steps:

1. Check for false positives

Some libraries used by UpdraftPlus use certain functions which can be flagged by malware scanners, especially on high sensitivity scans. For example phpseclib, the PHP Secure Communications Library, uses the eval() and unpack() functions safely and legitimately for cryptographic purposes. Together, these functions have also been used by malware in other contexts to hide their code.

As such, the first step you should take is to check for a false positive. To do so we recommend comparing the contents of the flagged files with fresh copies from a new download of the plugin. This can be done using a file comparison tool, such as WinMerge or similar tools. If the contents of the files are exactly the same, then the alert was likely a false positive.

You can also use the md5 or SHA-1 has functions to create a hash value for both files and compare those. Files which match exactly will give the same hash output.

2. Reinstall UpdraftPlus

If it appears that an UpdraftPlus file is infected or otherwise compromised, you should then remove the infected version of the plugin and reinstall from a fresh download. A fresh version of UpdraftPlus Premium can be found in your My Account Licences page, while the free version can be found in the WordPress.org Plugin Directory.

3. Investigate further

Malware present in your site’s PHP files is a symptom of malicious action, rather than the cause. The location of the malicious code does not necessarily indicate how the attacker gained access to the site.

If malware or malicious code is found in your UpdraftPlus installation, you should then run a full check on your site, including further scans for malicious code, update passwords and security keys, check the database for any issues, etc. You may be able to ask your hosts or server admin to help you.

More information on how to investigate further and clean your site can be found in this guide from Sucuri: https://sucuri.net/guides/how-to-clean-hacked-wordpress/



Posted in: Support, Troubleshooting