I have been getting a crash course in WP security thanks to my hosting company suspending my site on Thursday due to a bunch of incursions on my WP installations. Through this adventure, I found your wonderful plugin, which helped me to clean up that first batch of infections over the weekend. I ran a fresh round of scans yesterday, and all was still well. Phew!
Today, my hosting company informed me their scan is picking up new infections. Your latest definitions picked up the same ones (the previous definitions, from a day or two ago, which I ran first, do not). I clicked to “fix automatically”, but got the dreaded red bar. My site no longer works, nor does my wp-admin page, aside from your scan. (Even “view quarantine” breaks.)
I tried to click “revert changes” several times, but nothing happened, and now I don’t see that option any more.
Here’s the error message from the two “fixed” files:
Warning: require_once(/home/MYUSERNAME/public_html/MYSITE/wp-content/themes/OptimizePress/lib/admin/admin-interface.php) [function.require-once]: failed to open stream: No such file or directory in /home/MYUSERNAME/public_html/MYSITE/wp-content/themes/OptimizePress/functions.php on line 79
Fatal error: require_once() [function.require]: Failed opening required ‘/home/MYUSERNAME/public_html/MYSITE/wp-content/themes/OptimizePress/lib/admin/admin-interface.php’ (include_path=’.:/usr/lib/php’) in /home/MYUSERNAME/public_html/MYSITE/wp-content/themes/OptimizePress/functions.php on line 79
I’ll send you the login info.
Help, please! My entire production site is now down.
Thanks so much,
Wendy
I’m having a hard time finding where to email you the credentials. Is it this?
wordpress at ieonly dot com
Okay, I replaced the two “fixed” (actually removed) files, which were essential to the theme and site working. Now my site is up again.
I see that my theme has an update, so I’ll install that and see if that fixes the threat.
I’ll keep you posted.
Okay, I really do need your help.
The two files flagged as “known threats” in OptimizePress 1.53 and 1.45 are exactly the same in the latest version, 1.57. So updating the theme will not help me.
My hosting company is also flagging these same files and requiring that I “clean” them. But they are essential to the functioning of my site.
Can you please tell me what’s wrong with these files?
http://www.TheProsperousArtist.com/fans/wp-content/themes/OptimizePress/lib/admin/admin-interface.php
http://www.TheProsperousArtist.com/fans/wp-content/themes/OptimizePress/lib/functions/theme-functions.php
Thanks so much!
Wendy
It would appear that the OptimizePress theme is using a method of code obfication that matches Known Malicious Threat patterns. I cannot see the code in those two files from the links you provided but if you were to send me those files I could check them out more thoroughly. I have temporarily white-listed this definition and I could create A permanent white-list entry for these files if I can confirm they are harmless.
Unfortunately I cannot do anything about your hosting provider calling them malicious so you would need to take it up with them too. I may also be worth it to let OptimizePress know that your host is flagging their files as malicious so that they can defend their product.
If you can email those files to me directly then I will check them out right away and white-list them if appropriate.
Okay, so clearly that’s a GOOD thing that you can’t see directly inside my WordPress installation. 
I’ll email you the files!
Wendy
