Mysterious Plugin


#1

I recently discovered a plugin called sucuri-scanner in my WordPress installation. I don’t remember adding it and it was not activated. The plugin doesn’t seem to have done any damage or made any changes. Some basic research shows that it’s a security system similar to the one in JetPack and WordFence (which I do have installed).

My question: is this something Reclaim added? If not, any idea how it might have been installed?


#2

We definitely don’t force add any plugins beyond for brand new installs we use the Cookies for Comments plugin for spam protection. Could it be a holdover from a migration from your previous host? Typically if we were to install anything like that it’s usually Wordfence and usually during the process of working with you on a ticket to clear out malware.


#3

This was definitely new and not a holdover. I’m very careful about the plugins I install on my production sites. I have a sandbox installation where I can experiment but I don’t recall installing anything called sucuri-scanner there either.

Since WordFence’s weekly reports have been showing an increase in failed attempted logins (coming mostly from Asian countries), I thought maybe some malware might have installed the plugin, if that’s possible. I also got a message today from WordPress.com that my account there had been locked due to suspicious activity. Something odd is going on so I need to keep a closer eye on things. I’ll post if I discover anything.


#4

So one thing I do know has been happening is exploited Wordpress.com accounts taking advantage of Jetpack management tools to install plugins Hijacked WordPress.com Accounts Being Used To Infect Sites (essentially while they don’t have access to your self-hosted WP login or your hosting account, if they get your WP.com credentials and Jetpack is managing the site they can install plugins through that interface). The cases of that we have seen have installed a plugin called pluginsamonsters (in addition to injecting code and doing stuff like that). Although it’s a rather loud plugin, I do like Wordfence due to how it will notify you when stuff pops up out of nowhere. The free version isn’t as good at the prevention side of things (it gets updates 30 days after an exploit is in the wild versus the paid subscription that gets updates in realtime as they patch).


#5

Is it definitely succuri or does it just look like succuri?


#6

The plugin wasn’t activated so I wasn’t able to see any settings associated with it. The info link lead to the plugin’s page at WordPress.org, which probably doesn’t mean anything. So, basically I have no idea if this was the actual seccuri plugin or an imposter.


#7

Can you access it with the tools | editor option?


#8

I deleted the plugin not long after my first post. I’m rather cautious about this kind of thing since my site was hacked a couple of times on my previous host. One of the reasons I switched to Reclaim was because they were giving me absolutely no help with the problems.