Wordfence and BackupBuddy False Positive on malicious executable code

Two of our favorite plugins are Wordfence for security and BackupBuddy to make automatic offsite backups of our site.

However, when running a Wordfence Scan you may encounter a few Critical Warnings within the BackupBuddy plugin files themselves or in a wp-content/uploads/backupbuddy_temp/ .sql file that say, “The file may contain malicious executable code.” These kind of warnings make you stop and think, Oh no, what does this mean? What do I do now? Is my site hacked?

Upon further review you see a variety of descriptions about each warning, such as:

EXAMPLE 1
Filename (sample):
 wp-content/uploads/backupbuddy_temp/r9g8q501tx/db_1.sql
Description: This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.

EXAMPLE 2
Filename:
wp-content/plugins/backupbuddy/destinations/sftp/lib/phpseclib/Crypt/Twofish.php
Filename: wp-content/plugins/backupbuddy/_importbuddy/importbuddy/lib/pclzip/pclzip.php
Filename: wp-content/plugins/backupbuddy/destinations/sftp/lib/phpseclib/Crypt/Blowfish.php
Description: This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘unpack(‘ (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.

What you should do if you get a Wordfence Scan warning using the BackupBuddy plugin that says, “The file may contain malicious executable code.”

You must be logged in to see this content. Please login or become a SafeWP Member.

About Regina Smola

Regina Smola is a sought-after WordPress Security Expert, co-founder of SafeWP.com, and owner of WPSecurityLock.com. She has helped thousands of WordPress users tighten security on their WordPress sites and fixed hundreds of hacked WordPress blogs. Get more info on Regina on Facebook and Google+.

Speak Your Mind

WordPress® and its related trademarks are registered trademarks of Automattic, Inc. This site is not affiliated
with or sponsored by Automattic, Inc., the WordPress Foundation or the WordPress® Open Source project.