If your website contains the wp-plain.php file in the root folder, it is most likely infected with malware. It is strongly recommended to address the contamination and block any further requests made to this file.
Try our free site check.
A malware analyst will provide a security report for your website.
How to address the attack:
.htaccess code:
# Redirect specific PHP files to /info.php (Magefix trap) RewriteEngine On RewriteRule ^(kok\.php|loli\.php|wp\.php|geju\.php|wp-plain\.php|phpinfo\.php)$ /info.php [L,R=302] # Redirect plugin file path RewriteRule ^wp-content/plugins/about\.php$ /info.php [L,R=302]
info.php (bot trap):
https://gist.github.com/magefix/f113bb4da89cb2e735e3507f44bb4216#file-info-php
Malicious IPs:
2.58.56.174, 4.190.155.45, 4.193.210.194, 4.194.208.111, 4.217.232.248, 20.192.24.133, 20.251.207.51, 45.141.215.198, 80.76.51.217, 80.76.51.220, 81.161.238.162, 85.31.47.161, 85.31.47.168, 85.239.245.7, 87.120.114.52, 87.120.114.184, 87.120.126.42, 87.121.86.54, 94.103.125.40, 94.103.125.236, 185.209.196.229, 185.241.208.154, 193.26.115.91, 194.26.192.112, 195.24.236.77, 195.24.237.169, 209.126.85.224.
/24 ranges:
2.58.56.0/24, 4.190.155.0/24, 4.193.210.0/24, 4.194.208.0/24, 4.217.232.0/24, 20.192.24.0/24, 20.251.207.0/24, 45.141.215.0/24, 80.76.51.0/24, 81.161.238.0/24, 85.31.47.0/24, 85.239.245.0/24, 87.120.114.0/24, 87.120.126.0/24, 87.121.86.0/24, 94.103.125.0/24, 185.209.196.0/24, 185.241.208.0/24, 193.26.115.0/24, 194.26.192.0/24, 195.24.236.0/24, 195.24.237.0/24, 209.126.85.0/24.
Sample logs:
185.209.196.229 – – [07/Jan/2026:08:49:20 -0600] “POST /wp-plain…ke Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
195.24.237.169 – – [07/Jan/2026:14:54:32 -0600] “POST /wp-plain….ke Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
