delete-all-comments

Description

This plugin has been closed and is no longer available for download.

Reviews

Was Hacked Twice

I am sorry to the author that I have to give this one star review, but I feel it’s important to warn others about potential dangers of using this plugin.

Truth be told: I used this plugin for a long time and it was perfect. Then something happened after last update. The plugin stopped working, but I was too busy to figure that out. So I left it without deleting and forgot about it.

Then after some time Wordfence alerts me about admin login from another country with an administrative username I never created. Hacked!

I was alerted only one hour after they broke into my site, so I it wasn’t hard to undo the damage. That’s when I began to suspect that “Delete All Comments” was used as a backdoor to my site. I have a similar set up across several sites, but only the one with “Delete All Comments” was hacked.

I cleaned up their files and deleted “Delete All Comments”. For about 3 weeks I lived peacefully. But today again, Wordfence alerted me about administrator’s login but this time with MY username but from India! (I am not in India and I just woke up when I was alerted).

Thankfully, it happened so that only two minutes passed since their login and till I noticed the problem. Again, I rushed to create a new administrator and deleted the old one. They had not much time to do the damage, but they were fast enough because in my cPanel the latest modified file was in plugins folder and belonged to “Delete All Comments” (which was definitely deleted, so they installed it again!).

I cleaned up everything again but still need to spend some time figuring out how they were able to enter again this time. It must be that simply deleting “Delete All Comments” doesn’t remove everything that needs to be removed and leaves some type of a backdoor.

So no, don’t install it. Thanks to the author for all the type (about two years) that I was able to use it without problems, but now I wouldn’t recommend this plugin.

DO NOT USE

Sadly I can’t endorse this plugin. I work for a UK based host that actively tracks compromises on customer based sites and the number of compromises that relate to this plugin is steadily growing. It’s entirely exploitable, allowing (people who know what they’re doing) the ability to upload unverified files that could do pretty much anything within reason. I’ve had an instance recently where a file was uploaded via a POST request to the plugins main file (delete-all-comments.php), and that’s then injected a user into the DB, allowing someone to login to the relevant admin area.

Until this has been verified fixed, or at least updated in some manner – do yourself a favour and stay the hell away.

Read all 51 reviews

Contributors & Developers

“Delete All Comments” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Delete All Comments” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.