Support » Reviews » Adds 'hookd' backdoor to your WP

Adds 'hookd' backdoor to your WP

  • At first glance and use, this plugin offers a neat interface in which you can change the theme for the counter. There are lots of templates to choose from which makes this plugin very attractive, along with the basic settings it provides.

    However, this plugin also was the culprit that created three particular unwanted ‘extras’:

    1) It inserted Javascript into the header.php file of your theme which was used to help analyze your site’s traffic, then sent off-site. This javascript is located right before the closing </head> tag.

    2) It created a string of child directories inside the WP-CONTENT folder like this: wp-content/cache/hookd/DOMAINNAME.com, then inside that folder, contains two files: 8b8203326e2a9c70947a and index.html

    3) Eventually if your header.php file is writable, it would add Viagra/Cialis or Loan or some other sort of unwanted advertisement into your web site upon first site-wide load. Those who have their browsers secured with anti-virus/anti-malware mods will most likely not see the ad, but for those who aren’t protected will see it.


    Summary: This plugin needs to be blacklisted and its author needs to be charged for fraud and privacy issues.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Yes, you are right, I did see the ad line under the counter, not yet on the header. I deactivated. Do I need to do anything else to make sure is gone from my site?

    In all fairness guys,
    the license says this plugin collects data about your site and that it places adverts.

    Read the license before you start whining about fraud and suing people, it’s only one little paragraph of text.

    Moderator Jan Dembowski


    Read the license before you start whining about fraud and suing people, it’s only one little paragraph of text.

    Where’s the license text?

    Moderator Jan Dembowski


    *Installs plugin, looks at said plugin, sees Bad Thing™*

    This is a problem.


    That link get’s inserted without the user agreeing to it. The option “Author credit (link will be displayed under the hit counter)” defaults to off but all that does is hide the link via CSS.

    <style type="text/css">.credits_off {display:none;}</style><div class="wp-hit-counter" align="center"><img src='http://my-test-url-here/wp-content/plugins/wp-hit-counter/designs/Basic/2/0.gif'><img src='http://my-test-url-here/wp-content/plugins/wp-hit-counter/designs/Basic/2/0.gif'><img src='http://my-test-url-here/wp-content/plugins/wp-hit-counter/designs/Basic/2/0.gif'><img src='http://my-test-url-here/wp-content/plugins/wp-hit-counter/designs/Basic/2/3.gif'><br /><small class="credits_off">by <a href="https://sites.google.com/site/seolosangelesblissdrive/">Bliss Drive Review</a></small></div>

    Per the plugin guidelines:

    10. The plugin must not embed external links on the public site (like a “powered by” link) without explicitly asking the user’s permission. Any such options in the plugin must default to NOT show the link.

    While it’s a little clever to do the display: none part, the plugin should not be inserting that hidden link like that.

    Where’s the license text?

    license.txt is in the plugin zip file. (or in the plugin folder if you install it directly via WordPress)

    It says:

    This program is supported by ad space sharing. The software will save data of your page (url, version etc.) for statistical reasons. None of this data will be published or given to a third party without your prior permission. By using the program, you are agreeing to this condition, and confirming that your sites abide by Google’s policies and terms of service.

    I’m not denying it’s kind of a dick move to collect data or add ads and not warning for it on the plugin download page, but people should pay attention to what they download.

    Moderator Jan Dembowski


    I totally missed that.


    I’m not part of the plugin team (good thing too, that team works hard) but I think that license text is just another problem with that plugin…

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Adds 'hookd' backdoor to your WP’ is closed to new replies.