Support » Plugin: Theme My Login » allowed site to be hacked

  • This was a good plug in then everything switched to be paid without notice. This allowed access to members only content without notice to site owner.
    Shortly after the themed login page quit working and site was hacked.
    This developer should be banned for bait and switch, and allowing potential sensitive info to be opened up and indexed by search engines

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Jeff Farthing

    (@jfarthing84)

    Could you please present evidence that shows that TML allowed your site to be “hacked”?

    my site was hacked several time over several days. Each time it was hacked I could not login through Theme My Login plugin.
    It would say, incorrect password.
    When I clicked the reset password link or log in with wordpress, the page would redirect back to the Theme My Login Page. It would not allow me to send a link to my email to reset my password or login via wordpress credentials.

    I had to use an FTP client to disable your plugin so I could use the default wordpress page to reset my password.

    So even if they did not get in through your plugin, they used it against me to prevent me from re-gaining access to the admin area of wordpress.
    Since completely deleting your plugin my site has not been compromised since.

    After being hacked I did the standard things, of resetting all my passwords, virus scan, reload from backup etc, and yet they got in again.

    Since deleting your plugin which is the only thing I did different from all the other times I was hacked, I have not had any issues since.

    You may be wondering if my site was actually hacked or if this was just a login issue. Each time, non english verbiage was injected into the descriptions of my site which showed up in search results. Which in turn triggered google to send me a message through “Google search console/webmaster tools” saying they have delisted mysite because it had been hacked, along with other issues related to the hack.

    So whether or not you think my experience is the smoking gun proof that your plugin was responsible for allowing my site to be hacked is totally up to you.

    In my mind it seems pretty definitive that there is something wrong with your plugin since they were able to use it to prevent me from resetting my password or logging in with my wordpress credentials, in turn having to disable your plugin to regain access.

    Plugin Author Jeff Farthing

    (@jfarthing84)

    Most likely, caching was preventing the plugin from working, or conflict with another plugin. Follow up in a few days or more without the plugin and let us know if you are “hacked” anymore.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this review.