“Wp-file-manager” has been the bane of my existence for the past 3 years. It’s not in every compromised WordPress hosting that I see; but it’s there probably 60-80% of the time. And it’s almost always there on the BAD hacks. So it’s very hard to ignore the correlation between this plugin and consistent hacks across accounts.
Let’s break this down…
Plugin
That means it’s an extra module or tool that you add to WordPress outside of its core functions. This was searched for and installed from the WordPress market. There are many plugins from many vendors.
File Manager
There are several ways to manage your files in wordpress.
The built in “media manager” will let you upload and manage images from the WordPress dashboard. This is great for single files but can be very limited with file types and folder access. But that’s on purpose to make sure you can’t break your WordPress from the inside.
There’s usually a “file manager” or “file browser” in the hosting product. This can be limited in batches or folders but it should still enable you to manage your files. If you need to upload a set of files you have to zip, upload and decompress to your destination folder.
Just about every hosting provider will give you FTP access and a set of credentials to let you connect directly to your hosting directory. This is the best option and most effective.
3rd Party
I’ve explained the options for managing files in WordPress. None of them include “install a 3rd party plugin that has full read/write perms to the hosting account”. So do things the right way and don’t cut corners.
Who installed this 3rd party file management plugin?
It could be your web dev who didn’t want to ask for FTP perms. It could be the guy who built the site originally. It could be the SEO guy you outsourced things to 6 months ago. It could be the last guy you hired to try and update a few things. In any situation, this was installed by someone using the WordPress dashboard and it got left here long enough for a bot to find and break.
What now that my site is hacked?
Remove any 3rd party file management plugins. Spot treat your hosting and remove anything you don’t absolutely need. Run a malware removal scan and have them clean up what they can find. Make sure you have a long conversation with your devs about permissions and access. You can just call in if you need to find FTP cred’s.