In addition to that, there are also several files in wordpress-seo/vendor/composer/installers/src/Composer/Installers/ just like:
AglInstaller.php
AimeoInstaller.php
AnnotateCmsInstaller.php
AsgardInstaller.php
(…)
CakePHPInstaller.php
CodeIgniterInstaller.php
DrupalInstaller.php
JoomlaInstaller.php
PhpBBInstaller.php
ShopwareInstaller.php
(…)
TYPO3CmsInstaller.php
TYPO3FlowInstaller.php
… and much more! What do all these files and “Installers” habe to do with WordPress SEO Plugin? Any kind of hack? This does not inspire confidence.
Waiting for an answer!!!
Holy bloatware, Batman! @mdidesign is right. Lots of non-WordPress code in there. Blown away until we get an explanation.
My webhoster wrote me a message, that my website got hacked. They have send me a logfile with all these folders and files and more. So I was just asking here. At the moment my website is blocked until this malware-code (or however you want to call this) is removed.
Yoast probably outsources to sketchy 3rd party developers in “developing” nations. I wouldn’t be surprised if they added this code, and Yoast’s team never did any testing/review of the code, and let it slip through.
They have no quality control at Yoast. None. Every release is a beta, and we are all beta testers.
That is very, very bad. Because my webhoster told me my FTP-account was hacked. And it was exactly the FTP account my wordpress installation uses for Plugin updates etc. (it is not the account that I am using by myself for uploading stuff).
I’m curious to see if and how “Big” Yoast reacts to this big issue.
Thanks for the links, but this is a case for Yoast. As you can see there are very, very, very much unneeded files in WordPress SEO. Yoast has to justify that.
If this plugin is related to the hack, that’s unfortunate, but it’s very unlikely that anyone else will fix it for you.
Yoast has to. He developed this plugin, he is responsible for all these “installers”.
WPyogi, download the latest zip file for this plugin, unzip it, and you’ll see the bloatware is in there. It has nothing to do with anyone’s site being hacked, except maybe for Yoast’s.
Bad plugins and themes have been the source of many hacked WordPress sites over time. It’s all part of WordPress’ currently flawed security model, which is pretty much no security out of the box.
My response was in reply to:
My webhoster wrote me a message, that my website got hacked.
The owner of the site is the one who has to clean that up (or hire someone)…
Yoast has to clean up his plugin and delete this unwanted code and release an update for it. Agree?
Hi
I’m sorry, but you’re all dead wrong. These are auto loaders needed to load WordPress SEO. No malware, no weird code. Just the results of modern web development.
Well, we’re off topic I suppose in talking about hacked sites, but security issues on such an important and widely-used plugin should be taken seriously.
best security is to stay htaccess deny all in admin folder…
