Back to Community
Understanding and Resolving File Manager Plugin Security Alerts
Content
Many WordPress users of the 'WP File Manager' plugin have encountered security warnings, malware detections, or unexpected behavior. This guide explains the common causes of these alerts and provides steps to diagnose and resolve them.
Why Am I Getting These Security Alerts?
Based on community reports, these alerts typically fall into a few categories:
- Outdated Plugin Versions: Many severe vulnerabilities, such as CVE-2023-6825 (directory traversal) and an arbitrary file upload flaw, were patched in specific versions (e.g., v6.9 for Free, v8.3.5 for Pro). Running an outdated version is the most common cause of compromise.
- False Positives from Scanners: Security software like EasyWP or CXS may flag the plugin's core file (
file_folder_manager.php) or its use of system functions (likeexec()) as potentially unwanted applications (PUA), even in clean, updated installations. - Outdated Library Dependencies: The plugin bundles libraries like elFinder and jQuery UI. Older versions of these libraries (e.g., elFinder before 2.1.62, jQuery UI 1.12.1) have known CVEs that scanners detect, even if the plugin itself is updated.
- Post-Hack Residual Files: If a site was previously compromised, hackers often install malicious files within the plugin's directories (e.g.,
lib/files/FecCff.php) or create new files in the uploads folder (wp-content/uploads/wp-file-manager-pro/).
Step-by-Step Troubleshooting Guide
1. Immediate Action: Update or Remove
- Update Immediately: If you plan to keep using the plugin, ensure you are running the latest available version. This is the single most important step to patch known security vulnerabilities. Check your dashboard or the WordPress Plugin Directory for updates.
- Consider Removal: If you are not actively using the plugin, the safest course of action is to deactivate and completely delete it. This eliminates it as a potential attack vector.
2. Perform a Comprehensive Security Scan
- Use a reputable security scanner like Wordfence, Sucuri, or your hosting provider's tool to scan your entire site for malware, not just the plugin directory.
- Pay close attention to detections in these common locations:
wp-content/plugins/wp-file-manager/lib/files/(Look for unexpected .php files)wp-content/uploads/wp-file-manager-pro/- The root directory (
/public_html/) for files likes7eavutarv_index.php
- Delete any suspicious files identified by your scanner.
3. Clean Up Residual Files and Folders
- If you have deleted the plugin, you can also safely remove its residual directories in your uploads folder:
wp-content/uploads/wp-file-manager-pro/wp-content/uploads/wp-file-manager-pro/fm_backup/
- You may also find and can delete the plugin's temporary folders
.tmband.quarantinein your server's root if they were not hidden.
4. Address False Positives
- If your hosting provider has flagged the plugin's main file (
file_folder_manager.php) but you have confirmed the installation is updated and clean, contact their support and explain it is likely a false positive. The File Manager team has stated they work with security providers to resolve these flags.
5. Restore from a Clean Backup
- If your site was hacked and is still redirecting visitors or showing malicious content after cleaning, the infection may be deeper than just a few files. The most reliable solution is to restore your entire site from a known-clean backup taken before the hack occurred.
Prevention Tips
- Always Update: Enable auto-updates for all plugins, especially ones with a history of security patches like File Manager.
- Use Security Plugins: Implement a WordPress security plugin to act as a firewall and provide regular malware scanning.
- Principle of Least Privilege: Only install and activate plugins that you absolutely need. Deactivate and delete unused plugins.
By following these steps, you can resolve most security alerts related to the File Manager plugin, whether they are legitimate threats or false positives. Always prioritize updating to the latest version and maintaining robust security practices on your WordPress site.
Related Support Threads Support
-
malicious code messagehttps://wordpress.org/support/topic/malicious-code-message/
-
Critical security vulnerability version 8.0.2https://wordpress.org/support/topic/critical-security-vulnerability-version-8-0-2/
-
Easy WP potential malicious file – a false positive or an issue?https://wordpress.org/support/topic/easy-wp-potential-malicious-file-a-false-positive-or-an-issue/
-
Are you offering any assistance or guide on how to delete all suspicious files?https://wordpress.org/support/topic/are-you-offering-any-assistance-or-guide-on-how-to-delete-all-suspicious-files/
-
Malware files?https://wordpress.org/support/topic/malware-files/
-
File Manager Plugin <= 23.2 is vulnerable to Content Injectionhttps://wordpress.org/support/topic/file-manager-plugin-23-2-is-vulnerable-to-content-injection/
-
OK to delete uploads/wp-file-manager-pro/fm_backup directoryhttps://wordpress.org/support/topic/ok-to-delete-uploads-wp-file-manager-pro-fm_backup-directory/
-
Reflected Cross-Site Scripting vulnerabilityhttps://wordpress.org/support/topic/reflected-cross-site-scripting-vulnerability-2/
-
Plugin using vulnerable jquery UIhttps://wordpress.org/support/topic/plugin-using-vulnerable-jquery-ui/
-
Security Vulnerability Disclosure – WP File Manager Plugin (v8.0.2)https://wordpress.org/support/topic/security-vulnerability-disclosure-wp-file-manager-plugin-v8-0-2/
-
Critical security vulnerability in 8.0.2https://wordpress.org/support/topic/critical-security-vulnerability-in-8-0-2/
-
SECURITY VULNERABILITY!https://wordpress.org/support/topic/security-vulnerability-95/
-
jquery-ui 1.12.1 being usedhttps://wordpress.org/support/topic/jquery-ui-1-12-1-being-used/
-
elFinder Directory Traversal to Arbitrary File Deletion Vulnhttps://wordpress.org/support/topic/elfinder-directory-traversal-to-arbitrary-file-deletion-vuln/
-
My Site (Dantravels.org) was attacked by Malware too! HELP!https://wordpress.org/support/topic/my-site-dantravels-org-was-attacked-by-malware-too-help/
-
CXS Reports Suspicious File After 6.9 auto-updatehttps://wordpress.org/support/topic/cxs-reports-suspicious-file-after-6-9-auto-update/
-
Plugin hackedhttps://wordpress.org/support/topic/plugin-hacked-10/
-
Japanese Text Hackinghttps://wordpress.org/support/topic/japanese-text-hacking/
-
Directory traversal issue not resolved in v.7.2.6https://wordpress.org/support/topic/directory-traversal-issue-not-resolved-in-v-7-2-6/
-
Hacker are targeting Filehttps://wordpress.org/support/topic/hacker-are-targeting-file/
-
Found a trojan in your code!!https://wordpress.org/support/topic/found-a-trojan-in-your-code/
-
wp-file-manager v8.0.2 is still using old, vulnerable elfinder v2.1.49https://wordpress.org/support/topic/wp-file-manager-v8-0-2-is-still-using-old-vulnerable-elfinder-v2-1-49/
-
Extra character added to my REST API Outputhttps://wordpress.org/support/topic/extra-character-added-to-my-rest-api-output/
-
8.3.4 – Authenticated (Subscriber+) Arbitrary File Uploadhttps://wordpress.org/support/topic/8-3-4-authenticated-subscriber-arbitrary-file-upload/
-
Isn’t being able to change the Public Root Path a security flaw?https://wordpress.org/support/topic/isnt-being-able-to-change-the-public-root-path-a-security-flaw/
-
Why was this removed?https://wordpress.org/support/topic/why-was-this-removed/
-
Got hacked – Zero day vulnerabilityhttps://wordpress.org/support/topic/got-hacked-zero-day-vulnerability/
-
.quarantine and .tmb folderhttps://wordpress.org/support/topic/quarantine-and-tmb-folder/
-
This plugin is a hacking tool basicallyhttps://wordpress.org/support/topic/this-plugin-is-a-hacking-tool-basically/