If you’ve arrived at this page it’s likely the WP Fingerprint plugin has alerted you to a possible issue with a plugin on your site. The very first step is to take a breath and don’t panic. Let’s go through what might have happened and why.
What’s happened exactly?
WP Fingerprint works by scanning through the plugin files on your WordPress website. After each scan it creates a checksum, a sort of digital fingerprint of the plugin on your site. That checksum is then compared against a known checksum from a copy of the plugin we keep securely on our system. When those checksums don’t match, the warning is triggered, alerting you to the fact that the plugin file in question might have been tampered with. Here’s a more detailed overview.
Why is this important?
If the mismatch of checksums is due to tampering, the plugin or your site may have been hacked. Malicious actors often modify files within plugins and themes to hide code that may affect your site. They do so to help hide their activities but also because they know these files are then loaded across your site. That means their code is running across your site, too. Such hacked code is often used to deliver spam, steal user login details or propagate more hacks.
Step 1 – identifying if a plugin is hacked
We recommend you don’t ignore any warning from WP Fingerprint. False positives are possible (see below) but they are rare; chances are the files have indeed modified.
- If you are in a position to do so, open up the file and see if something look out of place. Hacked content often looks obvious, a big block of unformatted code, or it looks obfuscated so the content is just a string of numbers and letters rather than words and symbols
- Run a virus scan, some hosts will do this automatically or others might give you access to do so.
- Check the time the time the file was last modified: If it was recently and no changes have been made then this could mean a third party has modified it. When plugins update, it’s rare that just one file is uploaded, rather multiple files are uploaded at the same time.
Step 2 – take action
If you believe the file has been modified you need to take immediate action. Your hosting provider should have detailed information on how to respond to hacked files and site (for example, check out our own guide on managing hacked WordPress sites).
Don’t just replace the file, unless you are absolutely sure there are no other files that have been hacked. Likewise, restoring from a backup more often than not means simply re-introducing the hacked files.
Step 3 – Recovering from a hacked WordPress plugin
Once your site is back up and running you should run through a checklist of sensible WordPress security items. Such items to check off include:
- Make sure your WordPress core installation, all plugins and themes are up to date.
- Ensure the passwords of every Administrator user on your site are updated
- Consider enabling Two Factor Authentication on each Administrator account
Could it be a false positive?
There is a small chance that the result is a false positive. A false positive means that there’s a mistake in the scanning and notification. This means that while the checksums don’t match, there’s a valid reason for the mismatch:
- You have made direct changes to the plugin files.
- A plugin author has changed the content of the file, but hasn’t changed the version number. This might show as being the latest version locally, but in reality a newer version is available.
- If checking against a local wpfingerprint.json file (so source says local) and you have made changes to file, but not regenerated the local file.
- The plugin is missing version information, meaning its impossible to identify what version should be checked. This will flag all files as potentially malicious.