If you are using Wordfence’s security scanner, and having it tell you that you have a virus “Backdoor:PHP/SEemf0Ji” in the file phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php inside UpdraftPlus, then this is a false positive (*). You can compare your file with the original file from the phpseclib project here – https://github.com/phpseclib/phpseclib/blob/master/tests/Unit/Crypt/RSA/LoadKeyTest.php – containing the same string which Wordfence wrongly identifies as a virus as a test RSA key in a harmless context.

If you get this report, then please do report this to Wordfence if you can. The number of times their plugin flags false positives in different places is a non-trivial support burden. We wish they would implement some technology to remove the easy-to-discover false positives like this one, especially in a top-20-most-installed plugin like UpdraftPlus. Presumably Wordfence users would also prefer to do real work rather than have lots of them all reading and investigating the same incorrect reports.

(*) Of course, at this point, now that this is known to be a widespread false positive, injecting that virus in that file would be a smart move for any hackers. This is another reason why false positives are bad news. So, to be entirely sure you’re safe and err on the side of being over-cautious rather than otherwise, you will want to test that the file is identical to the pristine version linked above.

David Anderson (lead developer)

twitterlinkedinFacebook