A marketing agency recently asked us to help with a site they look after for a client because it was displaying odd behaviour – when they visited admin, the page was blank when they should have seen a login screen.
We quickly deduced the site had been hacked, and traced the hack back to a plugin the client had installed called Popup Builder. If you are battling this same hack, then you can read a detailed breakdown of what you need to do over on Securi’s blog. Ends up the weakness in the plugin was discovered a long time ago, and started being exploited in December 2023 after details of it were published – by which time it was probably hoped people would be upgraded. The bad guys acted quickly, and thousands of sites which hadn’t upgraded were quickly infected.
The thing with hacks, is that thorough ones leave themselves a Back Door. This means that you might clear up the infected files, or delete the added code, but the hackers of done something else – that’s very hidden – to let themselves back in. In this case, one of the things they did was install their own nasty plugin, which they hid from the main list of plugins so you wouldn’t know it was there.
This is why it can take a long time to clear up a hack – you are basically looking for stuff but you don’t know what (unless there happens to be a blog post detailing it as cited above, but you don’t always find that blog post at the right time) and as soon as you remove it, it can just magically come back again (because the hackers are able to put it back again via the Back Door, with code watching for when it’s resolved, ready to pop it back).
This is another lesson in why it’s important to keep your plugins – on any platform, not just WordPress – up to date. Please do get in touch if you need a hand.