WordPress.org

Ready to get started?Download WordPress

Forums

WP Hit Counter
Adds 'hookd' backdoor to your WP (7 posts)

1 star
  1. monkeyfacestick
    Member
    Posted 1 year ago #

    At first glance and use, this plugin offers a neat interface in which you can change the theme for the counter. There are lots of templates to choose from which makes this plugin very attractive, along with the basic settings it provides.

    However, this plugin also was the culprit that created three particular unwanted 'extras':

    1) It inserted Javascript into the header.php file of your theme which was used to help analyze your site's traffic, then sent off-site. This javascript is located right before the closing </head> tag.

    2) It created a string of child directories inside the WP-CONTENT folder like this: wp-content/cache/hookd/DOMAINNAME.com, then inside that folder, contains two files: 8b8203326e2a9c70947a and index.html

    3) Eventually if your header.php file is writable, it would add Viagra/Cialis or Loan or some other sort of unwanted advertisement into your web site upon first site-wide load. Those who have their browsers secured with anti-virus/anti-malware mods will most likely not see the ad, but for those who aren't protected will see it.

    ----

    Summary: This plugin needs to be blacklisted and its author needs to be charged for fraud and privacy issues.

  2. greentina
    Member
    Posted 9 months ago #

    Yes, you are right, I did see the ad line under the counter, not yet on the header. I deactivated. Do I need to do anything else to make sure is gone from my site?

  3. Rob Eschauzier
    Member
    Posted 6 months ago #

    In all fairness guys,
    the license says this plugin collects data about your site and that it places adverts.

    Read the license before you start whining about fraud and suing people, it's only one little paragraph of text.

  4. Read the license before you start whining about fraud and suing people, it's only one little paragraph of text.

    Where's the license text?

  5. *Installs plugin, looks at said plugin, sees Bad Thing™*

    This is a problem.

    https://plugins.trac.wordpress.org/browser/wp-hit-counter/trunk/image.php#L92

    That link get's inserted without the user agreeing to it. The option "Author credit (link will be displayed under the hit counter)" defaults to off but all that does is hide the link via CSS.

    <style type="text/css">.credits_off {display:none;}</style><div class="wp-hit-counter" align="center"><img src='http://my-test-url-here/wp-content/plugins/wp-hit-counter/designs/Basic/2/0.gif'><img src='http://my-test-url-here/wp-content/plugins/wp-hit-counter/designs/Basic/2/0.gif'><img src='http://my-test-url-here/wp-content/plugins/wp-hit-counter/designs/Basic/2/0.gif'><img src='http://my-test-url-here/wp-content/plugins/wp-hit-counter/designs/Basic/2/3.gif'><br /><small class="credits_off">by <a href="https://sites.google.com/site/seolosangelesblissdrive/">Bliss Drive Review</a></small></div>

    Per the plugin guidelines:

    10. The plugin must not embed external links on the public site (like a "powered by" link) without explicitly asking the user's permission. Any such options in the plugin must default to NOT show the link.

    While it's a little clever to do the display: none part, the plugin should not be inserting that hidden link like that.

  6. Rob Eschauzier
    Member
    Posted 6 months ago #

    Where's the license text?

    license.txt is in the plugin zip file. (or in the plugin folder if you install it directly via WordPress)

    It says:

    This program is supported by ad space sharing. The software will save data of your page (url, version etc.) for statistical reasons. None of this data will be published or given to a third party without your prior permission. By using the program, you are agreeing to this condition, and confirming that your sites abide by Google's policies and terms of service.

    I'm not denying it's kind of a dick move to collect data or add ads and not warning for it on the plugin download page, but people should pay attention to what they download.

  7. I totally missed that.

    https://plugins.trac.wordpress.org/browser/wp-hit-counter/tags/1.0/licence.txt

    I'm not part of the plugin team (good thing too, that team works hard) but I think that license text is just another problem with that plugin...

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.