Two days ago I got a text from colleague of a mutual client: “Google Ads is throwing a fit saying the site is infected with malware. Can you take a look?”
It was an odd request considering this particular client is on WPEngine.
I jumped over to Sucuri’s Site Check malware scanner and immediately was informed that the site was indeed infected.
This particular malware didn’t do much of anything to my client’s website, thankfully, and I think, thanks to the Google Ads warning, we had the jump on it before most others did.
By the time I had found out what plugin was to blame, the people over at Wordfence were starting a YouTube live stream about the whole ordeal. Thousands of people were watching. This malware made it around quick.
How to get rid of Wp-Strongs Malware
First place you will want to look, in almost every situation, is the server logs.
Sure enough, they were flooded with hundreds of POST requests to the user-new.php file – not good. Of course there was a new admin user. I deleted the rogue admin user, and changed permissions on all other users, plus forced a password update for each one. I also changed my password and enabled 2fa for good measure.
Back to the logs, I noticed an unusual file name: wp-strongs.php. This appeared to be originating from the mu-plugins folder. Weird! So i went in and deleted it. Easy.
Edit: After searching the email address of the rogue admin user firstname.lastname@example.org – I was able to determine that ThePlusAddons plugin for elementor was to blame.