Affiliate Plugin in Must-Use plugin section

No, I’m sure it’s not from your developer but I think Hostinger did that! I have already checked on two sites I hosted on their servers. I think WordPress needs to take action to that bad practice.

Here’s the code I copied from one of the sites:

<?php
/**
 * Plugin Name: Affiliate Plugin
 * Description: "Affiliate Plugin" serves the purpose of integrating affiliate links into the WordPress website.
 * Version: 1.0.3
 * Text Domain: hostinger-mu-affiliates-plugin
 */

defined( 'ABSPATH' ) || exit;

if ( ! defined( 'ABSPATH' ) ) {
    exit;
}

class Hostinger_MU_Affiliates {
    const MONSTERINSIGHTS_AFFILIATE_ID = '3107422';
    const ASTRA_AFFILIATE_ID = '12425';
    const WPFORMS_AFFILIATE_LINK = 'https://shareasale.com/r.cfm?b=834775&u=3107422&m=64312&urllink=';
    const AIOSEO_AFFILIATE_LINK = 'https://shareasale.com/r.cfm?b=1491200&u=3107422&m=94778&urllink=';
    const HESTIA_AND_NEVE_AFFILIATE_LINK = 'https://www.shareasale.com/r.cfm?b=642802&u=3107422&m=55096';

    public function __construct() {
        if ( is_admin() ) {
            $this->define_admin_hooks();
        }

        add_action( 'init', array( $this, 'schedule_weekly_cron_job' ) );
    }

    public function affiliate_astra() {
        add_option( 'astra_partner_url_param', self::ASTRA_AFFILIATE_ID, '', 'no' );
    }

    public function affiliate_monsterinsights( $id ) {
        return self::MONSTERINSIGHTS_AFFILIATE_ID;
    }

    public function wpforms_upgrade_link( $link ) {
        return self::WPFORMS_AFFILIATE_LINK . rawurlencode( $link );
    }

    public function aioseo_upgrade_link( $link ) {
        return self::AIOSEO_AFFILIATE_LINK . rawurlencode( $link );
    }

    public function neve_or_hestia_upgrade_link( $utmify_url, $url ) {
        if ( strpos( $url, 'themes/neve/upgrade' ) !== false || strpos( $url, 'themes/hestia-pro/upgrade' ) !== false ) {
            return self::HESTIA_AND_NEVE_AFFILIATE_LINK;
        }

        return $utmify_url;
    }

    private function define_admin_hooks() {
        add_filter( 'optinmonster_sas_id', array( $this, 'affiliate_monsterinsights' ) );
        add_filter( 'monsterinsights_shareasale_id', array( $this, 'affiliate_monsterinsights' ) );
        add_filter( 'wpforms_upgrade_link', array( $this, 'wpforms_upgrade_link' ) );
        add_filter( 'aioseo_upgrade_link', array( $this, 'aioseo_upgrade_link' ) );
        add_filter( 'tsdk_utmify_url_neve', array( $this, 'neve_or_hestia_upgrade_link' ), 11, 2 );
        add_filter( 'tsdk_utmify_url_hestia-pro', array( $this, 'neve_or_hestia_upgrade_link' ), 11, 2 );
    }

    public function schedule_weekly_cron_job() {
        if ( ! wp_next_scheduled( 'run_weekly_affiliate_astra' ) ) {
            wp_schedule_event( time(), 'weekly', 'run_weekly_affiliate_astra' );
        }
        add_action( 'run_weekly_affiliate_astra', array( $this, 'run_weekly_affiliate_astra' ) );
    }

    public function run_weekly_affiliate_astra() {
        if ( ! get_option( 'astra_partner_url_param' ) ) {
            $this->affiliate_astra();
        }
    }
}

new Hostinger_MU_Affiliates();

I’m sure it’s not mine! I don’t have affiliate links to those site at all!

PS: You can remove it from your cPanel or hPanel (if you’re already use their own Panel) File Manager or FTP if you have access to it.

• This reply was modified 1 year, 1 month ago by umeckzki. Reason: Add the answer to the question about deleting the plugin

So I can just delete this file here: File Manager –> public_html folder –> wp-content –? mu-plugins –>?hostinger-affiliate-links.php

Is that correct? Will that remove the Affiliate plugin and anything related to that?

Yes, it’s safe to delete that file. It will be removed from your site. It’s only one PHP file and designed to automatically insert affiliate links into your website for certain plugins and themes, like Astra, MonsterInsights, etc.

Reach out to Hostinger’s support and inquire about these “Affiliate Plugin” file. Ask them why they were installed, their specific purpose, and if they were meant to be there without your knowledge.

Got it. Thank you for your advice!

So I deleted the hostinger-affiliate-links.php in mu-plugins folder and it works fine. But few hours later, the same file came back again ??

How do I prevent that from happening again? I asked Hostinger customer service and the bot replied this:

To prevent an affiliate plugin from being automatically reinstalled on your WordPress site after deletion, ensure that you have removed any leftover files and folders related to the plugin from your WordPress installation directory. Additionally, check your site’s wp-config.php file and other configuration files for any code that might be triggering the reinstallation. It’s also important to ensure that your WordPress, themes, and other plugins are up to date to prevent unauthorized actions, and consider using security plugins like WordFence or Anti-Malware Security to scan for and block malicious behavior. For more security tips, you can refer to the following link:?https://www.hostinger.com/tutorials/wordpress-malware-removal.

I have just checked all my sites and the plugin didn’t come back again.

If the plugin keeps coming back despite deleting it, and if you don’t have access to human support from Hostinger, you’ll need to take additional steps to ensure the plugin doesn’t reappear. Here are some further actions you can take:

1. Check File Permissions: Ensure that the permissions on your WordPress files and directories are properly configured. Make sure that only the necessary users have write permissions, and restrict write access as much as possible to prevent unauthorized changes.
2. Scan for Malware: Use a reputable security plugin or an online scanning tool to thoroughly scan your WordPress installation for malware. Some plugins can detect and remove malicious files automatically.
3. Monitor File Changes: Set up file integrity monitoring to detect any unauthorized changes to your WordPress files and directories. Some security plugins offer this feature, or you can use server-side tools to monitor file changes.
4. Implement Web Application Firewall (WAF): Consider using a web application firewall to filter and monitor HTTP traffic to and from your WordPress site. A WAF can help block malicious requests and protect against various types of attacks.
5. Review Access Logs: Check your server access logs to see if there are any suspicious IP addresses or unusual patterns of access. This can help you identify potential attackers and take appropriate action.
6. Review WordPress Core and Plugins: Check for any vulnerabilities or outdated software in your WordPress core installation and plugins. Remove any unused plugins and themes, and keep everything updated to the latest versions to patch security vulnerabilities.

Asked Hostinger regarding this issue and I got an answer from them which isn’t helpful at all.

Regarding the must-use (MU) plugin, it’s installed to integrate with affiliated plugins and themes, such as Astra, WPForms, and All in One SEO, to provide streamlined functionality and simplify the process for our users!

If you have any further concerns or questions, please feel free to reach out to us directly at [email protected]. We’re here to assist you.

Looks like it’s been installed on sites with Astra theme, AIO SEO, WPForms, MonsterInsights, Neve, and some other plugins.

Hello,

Thank you for bringing this to our attention. We understand your concerns regarding the pre-installation of the Affiliate Plugin as MU plugin on your WordPress site. It was created to track our partnership with some plugin and theme developers and was installed on just a part of WordPress sites depending on what website type was selected during onboarding.

Our team has heard your feedback loud and clear. It’s not the best practice, and we will no longer pre-install the MU plugin on users’ websites. This adjustment may take a few days to implement, but please rest assured that it’s our top priority.

We apologize for any inconvenience and confusion this may have caused and appreciate your understanding as we work to improve our services.

If you have any further questions or concerns, please don’t hesitate to reach out to us at [email protected]. We’re here for you.

Thank you for your patience and understanding.

I was also looking at that plugin flagged as “Must Use” and thought my site was hacked!
@hostinger should be sued for this.

Yes I had to deal with same issue.. Definetly we have to sue @hostinger. They are sharing or data to this IPs:

Identified server IPs: “191.101.104.95”, “2a02:4780:84:b5ee:3834:56cf:3ce6:22ec”, “2a02:4780:b::1a”, “154.41.250.178”, “2a02:4780:1d:1854:cec2:e6b5:9dd9:f609”, “154.41.250.217”, “2a02:4780:1d:43a7:336a:2e01:9100:b004”, “154.41.250.155”, “2a02:4780:22:d80a:ca9d:358:f23b:7877”, “154.62.106.111”, “2a02:4780:1d:deea:3084:d9da:2f38:f1f4”, “191.101.104.239”, “2a02:4780:1d:9c66:ea34:77c4:4e03:fae”, “191.101.104.185”, “2a02:4780:1d:99f0:541c:3692:df72:871b”, “154.62.106.135”, “2a02:4780:1e:fb6f:5299:bf0c:dc6f:becb”, “154.41.250.151”, “2a02:4780:1e:166f:a8f5:9d56:4152:dd32”, “154.41.250.9”, “2a02:4780:22:dccb:d8c1:b4fe:9530:33ce”, “191.96.144.104”, “2a02:4780:1e:6243:9c04:4a9a:e19e:76f6”, “191.101.104.22”, “2a02:4780:22:1c6d:d6e0:75c7:ee5a:936f”, “154.62.106.76”, “2a02:4780:21:3dd7:6d9c:3356:6d02:e7f7”, “154.62.106.104”, “2a02:4780:21:85ae:2577:cec8:5ce4:4ff”, “154.41.250.112”, “2a02:4780:1d:babe:4d5f:7fcd:1b75:93e8”, “154.62.106.197”, “2a02:4780:21:a1f9:52ae:40f8:bbb5:e866”, “154.41.250.68”, “2a02:4780:1e:30c5:8a6d:453a:4d47:d195”, “191.96.144.116”, “2a02:4780:22:4260:eec3:8a91:90c2:8ac1”, “84.32.84.231”, “2a02:4780:21:8c0c:2135:46b6:9e36:a685”, “191.96.144.197”, “2a02:4780:21:8bf5:5aac:ce29:6778:1b88”, “154.41.250.137”, “2a02:4780:1e:bcb0:ea91:55cd:3667:d7fb”, “191.101.104.131”, “2a02:4780:1e:1d64:45af:4c78:fc32:e399”, “191.101.104.89”, “2a02:4780:22:e158:cdeb:e5d6:fb9a:9119”, “154.41.250.171”, “2a02:4780:1d:549b:86f7:d703:22ea:5277”, “191.96.144.120”, “2a02:4780:84:60a9:2061:2afc:17b7:a058”, “154.62.106.204”, “2a02:4780:22:41f7:8972:3d09:9a:1a69”, “154.41.250.176”, “2a02:4780:22:fd3f:d782:62fe:81d4:786”, “154.62.106.213”, “2a02:4780:22:d26b:dd86:5352:dfba:f052”, “154.62.106.210”, “2a02:4780:22:8d:fdde:b3d0:b657:3eb2”, “191.96.144.123”, “2a02:4780:1e:cc02:3ae4:b334:1496:1c23”, “84.32.84.174”, “2a02:4780:1d:4f96:1588:cddd:5e30:8755”, “191.101.104.8”, “2a02:4780:21:670e:1a2f:5c3c:6087:a1a”, “191.101.104.32”, “2a02:4780:1d:4209:4a57:7a10:a9c0:b19a”, “2a02:4780:b:660:0:83a:9e3c:10”, “191.101.104.163”, “2a02:4780:1e:82d0:f32:4203:7793:e40”, “191.101.104.91”, “2a02:4780:21:f2c2:55df:6a8d:4a9e:bc59”, “191.101.104.59”, “2a02:4780:22:b902:5347:491d:cafe:4b32”, “154.41.250.82”, “2a02:4780:1e:9af1:4d21:805e:b28e:ce8f”, “191.101.104.227”, “2a02:4780:22:959f:5544:ffa4:ad6b:5006”, “191.96.144.125”, “2a02:4780:1d:9ca:31b7:362a:ea9e:1da9”, “154.62.106.228”, “2a02:4780:1d:4ce9:1085:a534:23f8:84a”, “191.96.144.124”, “2a02:4780:1e:751b:7f3b:8392:707a:2e1c”, “191.101.104.155”, “2a02:4780:1e:a4aa:b618:9f95:93d3:1f11”, “154.62.106.163”, “2a02:4780:21:d148:71ca:a9c5:aedf:c6ab”, “154.62.106.79”, “2a02:4780:1e:a95b:cac8:d2d1:1bd5:c1e4”, “191.101.104.62”, “2a02:4780:22:b2be:b7b2:6dda:8665:1748”, “191.96.144.42”, “2a02:4780:21:c90f:e54d:51b3:ee28:78db”, “154.41.250.42”, “2a02:4780:1e:d327:b960:f78d:b8ec:ffc3”, “84.32.84.245”, “2a02:4780:21:d8e8:685f:f309:5b7a:cb77”, “154.41.250.181”, “2a02:4780:1e:fb85:c12a:2bb4:26f7:6da9”, “191.96.144.99”, “2a02:4780:1e:851c:7b42:cb49:6d81:1698”, “191.96.144.148”, “2a02:4780:1e:db5f:b609:43e:d9c4:e43”, “154.41.250.36”, “2a02:4780:22:5ba:cf0e:ecc:fc7e:8745”, “154.62.106.166”, “2a02:4780:1e:badd:cf34:26f:cd68:46a9”, “84.32.84.109”, “2a02:4780:84:fe1d:69d9:2f49:d8d1:5985”, “154.62.106.235”, “2a02:4780:21:6ba:2f79:8312:fab4:ffa4”, “154.41.250.103”, “2a02:4780:21:3960:d6c2:9303:2f7f:abb”, “154.62.106.2”, “2a02:4780:84:7447:b804:31c2:d023:763c”, “154.41.250.186”, “2a02:4780:16:a667:4111:a4de:d175:d11d”, “84.32.84.247”, “2a02:4780:84:aef4:55f6:bba7:39b:166f”, “154.62.106.231”, “2a02:4780:22:f1d9:c228:739d:6f21:42e7”, “191.96.144.6”, “2a02:4780:21:5a7e:56a5:a7cb:2789:5490”, “191.101.104.98”, “2a02:4780:1e:7062:dcd8:fa6b:82e2:e70a”, “154.62.106.152”, “2a02:4780:22:a7c6:d436:9e0c:9541:7899”, “154.62.106.102”, “2a02:4780:1e:4db7:238f:fb82:d483:a87b”

Dear @kamiotech,

An update about the plugin – it was already removed and will no longer be installed.

Regarding the IP addresses you’ve provided, to clear any confusion, they are actually a part of our network, not 3rd-parties IPs. We value our customers’ privacy and security; hence, we will never share any confidential information with anyone.

This means, we’re not “sharing data”, the traffic towards these IPs is related to the connection between our plugin (the main one), and our APIs.

If any additional questions would arise, don’t hesitate to reach out. We’re here to clear any doubts or concerns you might have.

Sincerely,
Team Hostinger