Tons of WP website being infected

  • Unknown's avatar
    cezarayran · Member ·

    I’ve removed this fake plugin called:

    • Plugin Name: Cache Performance Helper
    • Description: Improves cache performance and optimization
    • Version: 2.4.1
    • Author: Developer
    • License: GPL-2.0+
      */

    from many WP websites, I can’t figure out what plugin could be causing it, the theme is the same (Avada) which I think it is fine but there’s something else leaving the back door open. Anyone else having the same issue?

  • Unknown's avatar
    staartmees · Member ·

    We can’t help with third party plugins and themes. You must contact support of that plugin or your hosting.

  • Unknown's avatar
    alicemaywebdesign · Member ·

    I’ve just found it on one of my wordpress.org sites. There was also a suspicious login this morning from an account belonging to the marketing agency:

    A user with username “ashlesha” who has administrator access signed in to your WordPress site.
    User IP: 91.121.235.122
    User hostname: e1.scientific-confcongress.biz
    User location: France

    The site does not use Avada. It did have the OneLogin SAML SSO plugin though which is the only other thing that I don’t use on other sites.

  • Unknown's avatar
    staartmees · Member ·

    @alicemaywebdesign the site you mention doens’t excist. Nevertheless we can’t help with selfhosted sites, it’s up to you to find a solution. You find a lot of information at https://wordpress.org/documentation/

  • Unknown's avatar
    cezarayran · Member ·

    Good to know you didn’t use Avada, do you know if you had this plugin called “Redirection https://wordpress.org/plugins/redirection/” ?

    I tried to compare all of the websites that got infected and they all had these plugins: Gravity Forms, Redirection and Yoast.. I am thinking that Redirection has the breach.

  • Unknown's avatar
    cezarayran · Member ·

    @staartmees can you please stop commenting on this topic? You’re not being helpful, and you’re posting without fully reading. This is an important subject, and your comments are just making it longer without adding value.

  • Unknown's avatar
    tcarvalhod · Member ·

    Hello Cezar and Alice,

    Two of our sites were recently infected with this fake plugin. Although our websites do not use the Avada theme, we discovered incorrect file permissions (set to 777).

    I am still investigating the incident, but I have included the logs below showing the suspicious login and plugin installation:

    {“scheme”: “https”,”server_port”: “443”,”server_protocol”: “HTTP/1.1″,”ssl_protocol”: “TLSv1.3″,”request_method”: “GET”,”http_host”: “xxxxxxx.com.br”,”request_uri”: “/wp-login.php”,”query_string”: “”,”body_bytes_sent”: “10350”,”bytes_sent”: “11120”,”request_length”: “291”,”upstream_response_time”: “0.067”,”upstream_connect_time”: “0.000”,”upstream_addr”: “172.16.11.104:8090″,”remote_user”: “”,”remote_addr”: “91.121.235.122”,”http_referer”: “”,”http_user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36″,”request_id”: “bafd07a27df095cb4e7c3d54a64bffa2″,”msec”: “1769975073.211”,”time_local”: “01/Feb/2026:19:44:33 +0000″,”status”: “200”,”country_code”: “FR”,”country_name”: “France”,”city_name”: “Nanterre”}

    {“scheme”: “https”,”server_port”: “443”,”server_protocol”: “HTTP/1.1″,”ssl_protocol”: “TLSv1.3″,”request_method”: “POST”,”http_host”: “xxxxxxx.com.br”,”request_uri”: “/wp-login.php”,”query_string”: “”,”body_bytes_sent”: “0”,”bytes_sent”: “1480”,”request_length”: “581”,”upstream_response_time”: “0.123”,”upstream_connect_time”: “0.000”,”upstream_addr”: “172.16.11.104:8090″,”remote_user”: “”,”remote_addr”: “91.121.235.122”,”http_referer”: “https://xxxxxxx.com.br/wp-login.php”,”http_user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36″,”request_id”: “5a13f9aaf6a6eb441de8ca8bc8fce718″,”msec”: “1769975073.684”,”time_local”: “01/Feb/2026:19:44:33 +0000″,”status”: “302”,”country_code”: “FR”,”country_name”: “France”,”city_name”: “Nanterre”}

    {“scheme”: “https”,”server_port”: “443”,”server_protocol”: “HTTP/1.1″,”ssl_protocol”: “TLSv1.3″,”request_method”: “GET”,”http_host”: “xxxxxxx.com.br”,”request_uri”: “/wp-admin/”,”query_string”: “”,”body_bytes_sent”: “326801”,”bytes_sent”: “327707”,”request_length”: “756”,”upstream_response_time”: “1.018”,”upstream_connect_time”: “0.000”,”upstream_addr”: “172.16.11.104:8090″,”remote_user”: “”,”remote_addr”: “91.121.235.122”,”http_referer”: “https://xxxxxxx.com.br/wp-login.php”,”http_user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36″,”request_id”: “fe9aa63449019d73d66db19bf859a49e”,”msec”: “1769975074.911”,”time_local”: “01/Feb/2026:19:44:34 +0000″,”status”: “200”,”country_code”: “FR”,”country_name”: “France”,”city_name”: “Nanterre”}

    {“scheme”: “https”,”server_port”: “443”,”server_protocol”: “HTTP/1.1″,”ssl_protocol”: “TLSv1.3″,”request_method”: “GET”,”http_host”: “xxxxxxx.com.br”,”request_uri”: “/wp-admin/”,”query_string”: “”,”body_bytes_sent”: “326783”,”bytes_sent”: “327689”,”request_length”: “738”,”upstream_response_time”: “0.310”,”upstream_connect_time”: “0.000”,”upstream_addr”: “172.16.11.104:8090″,”remote_user”: “”,”remote_addr”: “91.121.235.122”,”http_referer”: “”,”http_user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36″,”request_id”: “eb425d0958a2ccacafb994e70e56d3ec”,”msec”: “1769975075.844”,”time_local”: “01/Feb/2026:19:44:35 +0000″,”status”: “200”,”country_code”: “FR”,”country_name”: “France”,”city_name”: “Nanterre”}

    {“scheme”: “https”,”server_port”: “443”,”server_protocol”: “HTTP/1.1″,”ssl_protocol”: “TLSv1.3″,”request_method”: “GET”,”http_host”: “xxxxxxx.com.br”,”request_uri”: “/wp-admin/plugin-install.php?tab=upload”,”query_string”: “tab=upload”,”body_bytes_sent”: “291956”,”bytes_sent”: “292862”,”request_length”: “767”,”upstream_response_time”: “0.101”,”upstream_connect_time”: “0.000”,”upstream_addr”: “172.16.11.104:8090″,”remote_user”: “”,”remote_addr”: “91.121.235.122”,”http_referer”: “”,”http_user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36″,”request_id”: “52ebcccfa8ab47dad4a1a53b18c788ea”,”msec”: “1769975076.160”,”time_local”: “01/Feb/2026:19:44:36 +0000″,”status”: “200”,”country_code”: “FR”,”country_name”: “France”,”city_name”: “Nanterre”}

    {“scheme”: “https”,”server_port”: “443”,”server_protocol”: “HTTP/1.1″,”ssl_protocol”: “TLSv1.3″,”request_method”: “POST”,”http_host”: “xxxxxxx.com.br”,”request_uri”: “/wp-admin/update.php?action=upload-plugin”,”query_string”: “action=upload-plugin”,”body_bytes_sent”: “264313”,”bytes_sent”: “265219”,”request_length”: “3635”,”upstream_response_time”: “2.532”,”upstream_connect_time”: “0.000”,”upstream_addr”: “172.16.11.104:8090″,”remote_user”: “”,”remote_addr”: “91.121.235.122”,”http_referer”: “https://xxxxxxx.com.br/wp-admin/plugin-install.php?tab=upload”,”http_user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36″,”request_id”: “6abfa3ced2298c68449b01a5e910ba76″,”msec”: “1769975079.161”,”time_local”: “01/Feb/2026:19:44:39 +0000″,”status”: “200”,”country_code”: “FR”,”country_name”: “France”,”city_name”: “Nanterre”}

    {“scheme”: “https”,”server_port”: “443”,”server_protocol”: “HTTP/1.1″,”ssl_protocol”: “TLSv1.3″,”request_method”: “GET”,”http_host”: “xxxxxxx.com.br”,”request_uri”: “/wp-admin/plugins.php?action=activate&plugin=cache-performance-helper/cache-performance-helper.php&_wpnonce=fa1f4eed98″,”query_string”: “action=activate&plugin=cache-performance-helper/cache-performance-helper.php&_wpnonce=fa1f4eed98″,”body_bytes_sent”: “0”,”bytes_sent”: “764”,”request_length”: “923”,”upstream_response_time”: “0.513”,”upstream_connect_time”: “0.000”,”upstream_addr”: “172.16.11.104:8090″,”remote_user”: “”,”remote_addr”: “91.121.235.122”,”http_referer”: “https://xxxxxxx.com.br/wp-admin/update.php?action=upload-plugin”,”http_user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36″,”request_id”: “0c11a8bd8a5ed12183795872ad717627″,”msec”: “1769975080.377”,”time_local”: “01/Feb/2026:19:44:40 +0000″,”status”: “302”,”country_code”: “FR”,”country_name”: “France”,”city_name”: “Nanterre”}

    {“scheme”: “https”,”server_port”: “443”,”server_protocol”: “HTTP/1.1″,”ssl_protocol”: “TLSv1.3″,”request_method”: “GET”,”http_host”: “xxxxxxx.com.br”,”request_uri”: “/wp-admin/plugins.php?activate=true&plugin_status=all&paged=1&s=”,”query_string”: “activate=true&plugin_status=all&paged=1&s=”,”body_bytes_sent”: “327505”,”bytes_sent”: “328509”,”request_length”: “869”,”upstream_response_time”: “0.111”,”upstream_connect_time”: “0.001”,”upstream_addr”: “172.16.11.104:8090″,”remote_user”: “”,”remote_addr”: “91.121.235.122”,”http_referer”: “https://xxxxxxx.com.br/wp-admin/update.php?action=upload-plugin”,”http_user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36″,”request_id”: “7f0d2d32f07fe03ae74c8f4a0cff2fad”,”msec”: “1769975080.696”,”time_local”: “01/Feb/2026:19:44:40 +0000″,”status”: “200”,”country_code”: “FR”,”country_name”: “France”,”city_name”: “Nanterre”}

    It appears the login originated from France. The access was gained through a standard login method, which was then used to install the fake plugin.

    Could you please share your own plugin list for comparison? Below is the list of plugins currently installed on our system:

    Advanced Custom Fields
    Akismet Anti-spam: Spam Protection
    Contact Form 7
    Copy & Delete Posts
    Gutenberg
    Location Weather
    Smart Slider 3
    WP Mail SMTP

    The permission files in your websites are correct?
    folders: 755
    files: 644
    wp-config.php: 600 ou 640

    Thank you

  • Unknown's avatar
    cezarayran · Member ·

    @tcarvalhod I just compared with the ones I had and you don’t have any of them… which makes this even worse lol

    Avada Builder
    Avada Core
    Gravity Forms
    Redirection
    Yoast SEO

    If it is a WP thing… uhh not good. I have not touched the file permissions at all, they are default to WP Core zip file but I did check one of them:

    wp-config.php 644
    wp-admin/ 775
    wp-includes/ 775
    wp-content/ 755
    All other files 644

  • Unknown's avatar
    alicemaywebdesign · Member ·

    Mine had the following plugins:

    OneLogin SAML SSO
    Elementor
    Elementor Pro
    ManageWP – Worker
    Site Kit by Google
    Smush
    W3 Total Cache
    Wordfence Security
    WP Mail SMTP
    Yoast SEO

    And Hello Elementor (active), Twenty Twenty-Five (inactive), and Twenty Twenty-Four (inactive).

    I couldn’t find any incorrect file permissions but did notice define(‘WP_ALLOW_MULTISITE’, true); was on for some reason

Log in or create an account to reply