Malicious rer-elemer WordPress Plugin

If you are seeing this page then you likely have a WordPress plugin named “rer-elemer” in your list of plugins. This plugin is malicious and generally should be removed immediately, but before doing so I would recommend viewing the timestamp of when that plugin was last created and accessed so the logs can be searched for any access during that timeframe. Generally I have seen the plugin being uploaded on outdated WordPress sites with Apache POST requests like:

POST /wp-admin/update.php?action=upload-plugin

So if you see that there then might be other POST requests like:

POST /wp-content/plugins/rer-elemer/wrapper.php

If you see those then likely there are other files that were uploaded to WordPress. Check in the site’s document root and other subfolders for any recently modified files. There may be other malicious files or phishing pages on the site.

Clean-Up

To clean up the account, make sure you change all passwords for any users, go through the WordPress user list and delete any users that shouldn’t be there. Update WordPress itself to the latest version, make sure you are using a newer PHP version as well, there are exploits available for many older outdated PHP versions.

Then audit your plugins and themes. Remove any you don’t need. Do not just leave them inactive, remove them. If they are inactive the files are still sitting dormant on the server, removing them would close any possible exploits against them. You probably don’t need the twentyfifteen theme anymore, let it go. Then after the plugins and themes are pruned, make sure the ones you do use are up to date and it wouldn’t hurt to make sure there aren’t any active security issues with them. Check on the forums for any plugins you do use and if there are problems look for alternative plugins that can perform the same function but do not have the same security issues.

Add Comment