WordPress.org

Ready to get started?Download WordPress

Forums

Sidebar Login
My site got hacked after installing this. TWICE (32 posts)

4 stars
  1. thanushka
    Member
    Posted 1 year ago #

    This plugin compromise the security of the login and create double logins. Do not use this and stay away. My site got hacked after installing this plugin.

    - The plugin did not have anything to do with the hacks directly. But I learned that (addressed on a different post) it did have a problem with how the password was printed which could well be the reason. The plugin developer promptly (and kindly) fixed the password issue. I will update my review once I test it again.

    I downloaded the new sidebar login (2.5) and has been using it since yesterday. No problems so far. No double logins, no sudden log-offs etc. But I did not log in to the site admin through that. I think it's an excellent plugin and will update my review in couple of weeks.

  2. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    Your site being hacked is not an indication of a security issue in a any plugin unless you have concrete evidence - in which case you should be contacting plugins [at] wordpress [dot] com with all relevant details.

  3. thanushka
    Member
    Posted 1 year ago #

    My website is http://www.blissfulinterfaces.com/. I installed this plugin early last year. I logged in through the sidebar plugin's login, and everything seemed fine. A while later I was asked to re-login. I thought it was fishy but I did it anyway. It was too late when I realized the plugin had redirected me to a site called http://fivemonkeyquilts.com/
    from that moment my domain was redirecting to http://fivemonkeyquilts.com/!!! (You will see that that domain redirects to my site now, what's the point of that anyway?? lol)

    Then I had to do everything in the world to get that fixed. I did think it must be this plugins so I uninstalled it. Today I was looking for a quick login widget and installed this again. ( I did feel the name sounded familiar but I didn't really think my assumption was right that with so many positive feedback). So long story I almost got hacked again. The login in this plugin log you in and then redirect to a fake login to steal the password.

    I'm not 100% sure that this plugin is associated with login stealing. But I know for sure that this plugin at least creates some security hole in wordpress. So users beware.

  4. I don't see anything, but I've posted this for the plugin review team to look at just in case.

    ETA: If you have not YET, change ALL your passwords.

  5. thanushka
    Member
    Posted 1 year ago #

    I appreciate that... I'm certain about the relationship between installing this plugin and getting redirected to fivemonkeyquilts. Plus I saw some more people complained about security holes in this plugin (It was too late when i saw those)

    It seriously messed up my wp-login. (keep making me log in several times) Now I'm trying to figure out how to fix it...

  6. @thanushka I'm a plugin reviewer for WordPress.org and I've just reviewed every line of code in this plugin. It's not possible that this plugin was responsible for the hack.

    I suspect what happened is that you had a second plugin, or a piece of malicious code inside of your theme (or WordPress core files) that was designed to intercept the login process (quite easy for someone to do if they know how and have gained access to your site). This would have made it appear to be this plugin, but in reality, the same thing would have happened regardless of how you logged into your site.

  7. thanushka
    Member
    Posted 1 year ago #

    We too checked the code and could not find anything directly related to the security breach, which is why I did not report. In fact, that is why I reinstalled this plugin few weeks after the first time the site got hacked and fixed. But after installing and using the side bar login once, it happened again.

    I do not think the plugin itself does the hacking, but I'm certain it make wordpress login vulnerable. Did you check how does the plugin pass the passwords etc? Is that secure? I noticed several people complained about it.. (My blog isn't even a popular blog and it only has a few responsive design related articles that comes #1 in google). So I really don't think anyone's purposely trying to hack it.. What's the point? lol

    I didn't have any issues since I removed this plugin (twice last year) and got the login / redirect problem fixed UNTIL yesterday I accidentally installed the same plugin again for the 3rd time and almost got hacked.. It's like installing this plugin activates some security vulnerability... I'm on Mac OS X, so perhaps it's vulnerability is related with that.. (The first time I got hacked was after logging to the admin from iPad)

  8. thanushka
    Member
    Posted 1 year ago #

    The first and secound time my site got hacked (last year) I was using a theme I wrote from scratch. So it cannot be my theme. My current theme does have some code written by others but everything was fine until yesterday...

  9. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    So it cannot be my theme.

    Why? No one is perfect and it's entirely possible that your theme did contain a security hole of one type or another.

  10. thanushka
    Member
    Posted 1 year ago #

    I just found out that after installing the plugin this redirect was written on my .htaccess file, which use to be fine just a few days ago..

    <IfModule mod_rewrite.c>
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{HTTP_REFERER} ^http://www.fivemonkeyquilts.com/more-about-joomla/30-the-community/46-angela-lamoree [NC]
    RewriteCond %{HTTP_REFERER} ^http://www.fivemonkeyquilts.com/ [NC]
    RewriteRule . /index.php [L]
    </IfModule>
    
    RewriteEngine on
    # Options +FollowSymlinks
    RewriteCond %{HTTP_REFERER} fivemonkeyquilts\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} LoisVowelstopsoilhockessin5.posterous\.com[NC,OR]
    RewriteCond %{HTTP_REFERER} s.nsdsvc\.com
    RewriteRule .* - [F]
  11. thanushka
    Member
    Posted 1 year ago #

    That's true. But every time I installed this plugin and used it at least once, same thing happens. I used my theme for over a year before I installed this plugin and got hacked instantly. and having it happend twice and having it almost happened for the 3rd time seem to be too much of a co-incident to me. Besides I'm not the only one (even though I'm one of the very few) who complain about the security of this plugin, specially how it pass user login data.

  12. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    There's nothing in the plugin that touches the .htaccess file. That's simply not how the plugin works. In fact, it doesn't make any changes to any file on the server at all.

  13. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    specially how it pass user login data.

    Can you elaborate?

  14. The plugin is secure. I reviewed every single line. It uses the same methods for for logging a user in as WordPress core does.

    The plugin does nothing more (in essence) than output the core WordPress login forms in the sidebar.

  15. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    It uses the same methods for for logging a user in as WordPress core does.

    Thank you. That was my conclusion too.

  16. thanushka
    Member
    Posted 1 year ago #

    I still stand by my observation, having had it happened 3 times. Installing this plugin did messed up my login, plus everything else I mentioned. I feel it's somewhat similar to what happened with timthumb, a perfectly good plugin which created a security hole. If anyone wants to try it it's up to them. I'll update here if I found out how exactly it happens.

  17. That's fine but I assure you, it has nothing to do with the code in this plugin. It's simply not possible, not unless the plugin code was modified after it was installed on your site, which could only happen if your site was already compromised.

    I can pretty much guarantee you that the exact same thing would have happened if you had been using the default wp-login.php login form. Why? Because your site was already infected with malicious code that simply attached to the core WordPress login process.

    It would not have mattered which login plugin you used, it just happened that you used the same one both times, so it made logical sense that it was this plugin.

    I'd recommend you run the Sucurri scanner on your site to look for malware: http://sucuri.net/

  18. thanushka
    Member
    Posted 1 year ago #

    Thank you.. I did scan my site (http://www.blissfulinterfaces.com) with http://sucuri.net/, just a couple of hours earlier (just to make sure) and it came out 100% clean. I understand that there could have been something in my site even sucuri didn't pick. If there is, it only gets it's way with sidebar login. Not wordpress default login.

  19. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    Securi is not infallible. You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again - which may be why you were hacked twice more.

  20. @thanushka Please listen for a moment: there is no way Sidebar Login is responsible for this. It would have happened no matter what plugin you used.

    I'm in no way affiliated with this plugin, I just want to help clarify this issue for you and everyone else.

  21. thanushka
    Member
    Posted 1 year ago #

    @thanushka Please listen for a moment: there is no way Sidebar Login is responsible for this. It would have happened no matter what plugin you used.

    Well it didn't. It only happened with sidebar login and it happend 3 times not just once. Every time it happened, I removed the plugin, completely changed all my passwords, cleaned up the server, wp-config, and freshly installed WordPress the problem solved.

    My review is completely based on my experience.

  22. I understand it is based on your experience, but (as someone who handles dozens of support tickets every day) I can tell you that a large percentage of the time problems like this only seem to be related to the plugin.

    As a developer, I could very easily write a "hack" that would intercept the login credentials of any WP login plugin. It's really quite easy. The only thing that has to happen is the hack needs to get installed on your site. Simple as that.

  23. gokevgo
    Member
    Posted 1 year ago #

    FYI, this might be related to this post, which has apparently been addressed:

    http://wordpress.org/support/topic/security-flaw?replies=18#post-3979284

  24. 2.5.0 has just been uploaded and fixes the issue.

  25. mikejolley
    Member
    Plugin Author

    Posted 1 year ago #

    I don't see how a login plugin would do this. For the most part it simply uses wp_login_form. Has to be a co-incidence. If de-activating Sidebar Login is the only action you have taken since your hack, I hope you'll be big enough to come back here and let us all know next time you are hacked without it.

  26. thanushka
    Member
    Posted 1 year ago #

    Look, I didn't come here to argue with you guys but to report a problem I clearly see. I'm NOT saying that the plugin itself hacks. BUT it's clear to me that it has security holes that let hackers get their way in. I don't know how since I'm not a developer. That's why I came here and posted this. To make something better you need to know both good AND the bad, and that's what a reviews are for.

    I see that there really WAS a issue with the way username and password are handled and the plugin contributor was nice to fix it. (http://wordpress.org/support/topic/security-flaw?replies=18#post-3979284).

  27. thanushka
    Member
    Posted 1 year ago #

    By the way I will never use this plugin again. I was just trying to help you guys fix a potential issue.

  28. gokevgo
    Member
    Posted 1 year ago #

    It works great now... May I call you Tha?

    I was frustrated too but that's how free open source software sometimes goes. I'm guessing you and I both stumbled across this plugin because we needed a solution. This is the solution we found. The developer provided this for free. He even rewrote it with little or no notice to fix the problems we encountered.

    I understand where you're coming from but this plugin was great before and the problem has been fixed.

  29. mikejolley
    Member
    Plugin Author

    Posted 1 year ago #

    ^ to add, even with this problem which could potentially log requests - ask yourself how somebody would access those logs..? My point is, even without sidebar login, your server is clearly vulnerable to attack and needs a thorough audit or its just a matter of time before it happens again :)

  30. thanushka
    Member
    Posted 1 year ago #

    @gokevgo: He he, You can call me Nush. I do understand that contrary to how people think no one owes anyone anything (lol)...

    mikejolley: I'm glad to hear the password issue is fixed (thank you so much for that). This plugin really is the best login plugin I've seen (by both looks and features). That's why I installed it 3 times lol

    I do think there could be something else on my site related to the hacks. I think some script was already running trying to grab the passwords looking for a way in..? (because my hacking always happened after asking to log in twice or more, and only if I loged in through the plugin..) I'm cleaning up everything and also having my server checked now. I will update here when I find anything.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.