Recently, after checking the web server logs, I have noticed several attacks targeting wp_filemanager.php, more specifically the following location:
/wp-content/plugins/hellopress/wp_filemanager.php.
If you can locate this plugin folder and file, it is most likely that your website is compromised and requires a malware cleanup.
Try our free site check.
A malware analyst will provide a security report for your website.
To address this issue, follow these steps (WordPress only):
- Disable public access, and proceed with a malware cleanup, reviewing core files, plugins and themes;
- Review all the plugins manually by using a file manager tool or FTP. The plugin list provided by WordPress is not reliable;
- Check the wp-content/mu-plugins/ folder;
- Review the users with admin privileges, the list may not be reliable;
- Disable theme editor and plugin installation;
Malicious IPs:
220.247.224.162, 37.140.223.73, 217.216.72.68, 52.178.176.146.
Sample logs:
[07/Jan/2026:16:28:45 -0600] “GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1” 404 211922 “-” “-”
[08/Jan/2026:01:28:15 -0600] “GET /wp-content/plugins/init-help/init.php HTTP/1.1” 301 0 “-” “Mozilla/5.0”
[08/Jan/2026:01:28:20 -0600] “GET /wp-content/plugins/pwnd/pwnd.php HTTP/1.1” 301 0 “-” “Mozilla/5.0”
[08/Jan/2026:01:28:22 -0600] “GET /wp-content/plugins/pwnd-1/pwnd.php HTTP/1.1” 301 0 “-” “Mozilla/5.0”
[08/Jan/2026:01:28:25 -0600] “GET /wp-content/plugins/Core-Econ/upH.php HTTP/1.1” 301 0 “-” “Mozilla/5.0”
[08/Jan/2026:01:28:32 -0600] “GET /wp-content/plugins/envato-market/inc/class-envato-market-api.php HTTP/1.1” 301 0 “-” “Mozilla/5.0”
[08/Jan/2026:04:26:21 -0600] “GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1” 404 5749 “-” “-”
