Removing the Adware mplugin from Wordpress

I recently worked on a couple sites initially developed by another developer and he used cracked themes which lead to installation of the malicious plugin.

A client mentioned the site was displaying ads and we couldn’t reproduce it because the plugin tracks signed in users and admins by IP after login. This prevented us from ever seeing the ads. We tried several times on different devices, networks and were still unsuccessful.

So we did a check through the plugins list in Wordpress and nothing looked suspicious. However, after using Sucuri and checking the list of installed plugins, mplugin stuck out. So we investigated it and found it was in /wp-content/plugins/mplugin.php. It also creates a file to track IPs: /wp-content/plugins/admin_ips.txt.

The plugin doesn’t even show itself on the admin menus. However, you can navigate to the settings page: /wp-admin/options-general.php?page=mplugin

We did a brief search online and found a youtube video: [mplugin removal video](https://www.youtube.com/watch?v=OJ6N_mrDpq8 https://www.youtube.com/watch?v=OJ6N_mrDpq8).

So essentially, you’ll need to remove a couple files:

  • /wp-content/plugins/mplugin.php
  • /wp-content/plugins/admin_ips.txt

Then you’ll need to remove the wp_options entries:

  • default_mont_options
  • ad_code
  • hide_admin
  • hide_logged_in
  • display_ad
  • search_engines
  • auto_update
  • ip_admin
  • cookies_admin
  • logged_admin
  • log_install
delete from wp_options where option_name in (
  'default_mont_options',
  'ad_code',
  'hide_admin',
  'hide_logged_in',
  'display_ad',
  'search_engines',
  'auto_update',
  'ip_admin',
  'cookies_admin',
  'logged_admin',
  'log_install'
)

Closing Thoughts

That is all I have noticed in the plugin.

It may be tempting to get free premium templates, but nothing really is “free”. A cracked template just like cracked apps will have some sort of incentive to the crackers.

So, safest bet is to fork over $50-$70 to a paid theme that will help developers as well from reputable theme sites. This will save you the risk and headaches.

The other benefit is also that the themes will most likely have auto updates so you aren’t stuck with even more compatibility and vulnerability issues.

Please, if you are developing for others and using cracked themes, you only tarnish your reputation to save a few bucks which can risk you further projects.

Always be vigilant!!!

Stay safe everyone!