During a round of monthly maintenance updates, one of our support techs discovered a very sketchy plugin installed on a few websites.
You’ll see it in the following filepath in WordPress: wp-content/plugins/service-system-woocommerce-information/service-system-woocommerce-information.php
This plugin appears to create admin users and then begin uploading malicious files to the website. This could lead to WooCommerce data being leaked. Fortunately, it appears we caught this issue in time, as there were no malicious files generated.
How do you know if you have it? Running a scan like WordFence or Sucuri may detect it, but you may also have to navigate to this filepath.
What should you do in response?
- Delete any admin users you don’t recognize.
- Delete this plugin. You’ll have to get to it via FTP access, or find a web developer to do this. Simply delete the folder in the wp-content/plugins directory, and that will do the trick.
- Delete the wp-xmlrpc.php plugin in the public_html directory—this may be one of the malicious files generated by the plugin.
- Delete any inactive plugins or themes.
- Change all admin passwords. It’s critical to do this as soon as possible in case they were exposed.
- Run a security scan to ensure there are no malicious files. You should also check for obfuscated PHP manually.
If you need help getting rid of this plugin, get in touch with us right away or contact your web developer.
