Ultimate TinyMCE
[resolved] Hacked? (22 posts)

  1. mikeotgaar
    Posted 3 years ago #

    Josh - Your plugin may have been hacked - Version 4.3 to (maybe others)

    When active, a link is being placed in the footer area <p style="position: absolute; top: -987px (and other similar values)">By Castglosvb (and other names) <a href="(to casino and options trading sites" title="casino online (and other)">online casino (and other)</a></p> Link removed

    The name, title and link changes with each page refresh

    The link is placed in the same footer region as the "Powered by WordPress" etc

    I've checked this on 2 live sites as well as a fresh install WP3.6 Beta test site and confirm all have this action. Disabling the plugin stops the link embed. I downloaded fresh copies from the repository and confirm both 4.3 to have these bad links

    I've posted a list of discovered links and names etc, and a copy of the html page so you can see the original source code from my dev site page (line 143) at http://www.graphicline.co.za/zimage/utmce-bad-links.zip

    I'm going back to ver 3.0 (This version is clean) in the meantime for my live sites.


  2. Josh
    Moderator and Editor Customizer
    Plugin Author

    Posted 3 years ago #

    Hi Mike,

    Long time... no talk :) I hope all is well with you! You have been a big support to me along the past sixteen months.. and I won't let so much time lapse before we talk again next time!!

    I am working on a renovation of the plugin. It's time to give it a "makeover".

    I am working on implementing three various projects into Ultimate Tinymce. Of course, each one of these will be completely up to the user if they choose to use them or not.

    One of these will be a "link sharing" project. This will take the link of your website.. put it into a "cache".. and add it to the rotation.

    This is going to be one of the simplest ways of getting your sites ranked higher in the search engines.

    Again, this option will be completely up to the user of whether or not they wish to participate... and we will also be giving a monthly "giveaway" for users who choose to participate. I'm thinking something like $200 a month prize. PLUS your site is getting ranked better.

    It is an experiment.. and I'm not sure what to expect... or even if it will work. But, in order to get some "tangible results"... I had to setup the code so I can monitor it on the other end.

    I hope this helps clarify. You should know, more than anyone, that I'm completely transparent ;)

    Lastly... I want you to stay current with the LATEST version. So, you can always remove the code that performs that function. Open up the "main.php" file, and comment out line #54. This will remove the check.. and not generate anything from that piece of code.

    Please let me know when you have done this, and verified it is not affecting your sites.

    Thank you, Mike!

  3. mikeotgaar
    Posted 3 years ago #

    Hi Josh, nice to here from you, and thanks for the very fast response

    I was concerned the plugin had been hacked without your knowledge...

    The fix above worked on my 3.6 dev site - I've already backdated my customers (before they started panicking and telling me I'd let their sites get hacked :) ) and my own WP sites this afternoon - will go back to latest version tomorrow on my own sites (Getting late here and still have work to get through)

    PLEASE - next time give a heads up about this sort of thing - I spent a lot of time today checking a site as I thought it had been hacked, only found the thing with the plugin after scanning the files and database, then disabling themes and plugins. Sort of fun
    I can foresee other users getting cheesed off though...

    I'd be happier to keep the function on one of my own sites if I could make the links visible, and put them in a block somewhere with some comment about a test function... Pity there's no class attached or it would be simple with CSS overrides.

    Nice to see UTMCE working OK - so far - on a vanilla WP3.6 install

  4. tripflex
    Posted 3 years ago #

    This is complete BS and a total abuse of people trusting you as a developer.

    You are injecting links to other websites without permission from the unsuspecting user who installed your plugin. There is absolutely no mention on this anywhere but when people ask questions, and I had to track it down myself.


    No type of cache, same exact links, and the code in that PHP file does nothing to even "submit" the website for this so called "cache"


    This also contradicts everything you said on the forum which makes me believe this is just a stunt to sell backlinks on people's websites who trusted your plugin.


    You should NEVER attempt to inject or load offsite files and i'm very disappointed with you as a developer.

    I consider this MALICIOUS software.

  5. Josh
    Moderator and Editor Customizer
    Plugin Author

    Posted 3 years ago #


    You are correct. I am already building a post on my site explaining all the details and usage. It will outline the project... and provide very detailed examples of how everything will work.


    As I mentioned in my comment above, I am testing this. There was simply no way for me to see how this would work until I got some feedback on the amazon site.

    I will remove this feature from the plugin. Obviously, it is not going to be well accepted... and will probably be a complete waste of my time... even though I have the best intentions.

    Once I have coded it as an option.. and allow users the choice of entering into the feature... I will bring it back.

    Thank you both very much for your invaluable feedback!

    NOTE: I have had this plugin up for a year and a half. I am a very skilled developer. If I wanted to use my programming knowledge for the "dark side"... I would have done it LONG ago. That is not my intentions, whatsoever.

    Please allow me a day or two for an update.

  6. As I mentioned to Josh in email, not only is it not well accepted, it's not permitted if your plugin is hosted here. But it's being taken care of, so no need to pile on Josh :)

  7. dcell59
    Posted 3 years ago #

    Well, I guess I'm glad to hear that it's being taken care of, but it sure scared the heck out of me. I ran across this yesterday and after a sleepless night I was able to figure out what was causing it. Sadly, I just don't think I can trust this plugin again, and now I'm going to be checking my pages sources every time I add a plugin.

  8. Josh
    Moderator and Editor Customizer
    Plugin Author

    Posted 3 years ago #


    It does amaze me how many people "come out of the woodwork" when there is an issue with this plugin. It is really forcing me to consider leaving WP and moving on to something a little more "supported" by end users.

    I have spent a year and a half on the development of this plugin... I have received about a total of $170 in donations during that time. It is simply not worth it to me to continue development of this project.

    So, I'm not sure what the future of Ultimate Tinymce will be... but, I would always strongly suggest reading plugin changelogs, and even running plugins through a "test site", to ensure they work properly after updates.

    I run many sites.. and always update plugins in my testing environment first.

  9. mikeotgaar
    Posted 3 years ago #

    Still the best WYSIWYG plugin for WordPress... We all make mistakes at times

  10. Josh
    Moderator and Editor Customizer
    Plugin Author

    Posted 3 years ago #

    Thanks Mike!!

    Hey Mike, check out this editor:

    What do you think about this "Word" lookalike??

  11. mikeotgaar
    Posted 3 years ago #

    Very interesting - better than Word 2011 LOL

    I like the remarks below RE Drupal and Joomla... I would love a version of UT with all the options for Drupal especially - the tinymce editor for Drup 7 is a bit scrappy in my opinion - also lacks some of the more useful features from your plugin e.g. the CSS button. I find I'm switching between tiny and CKE when setting content with Drup.

  12. dcell59
    Posted 3 years ago #

    Sorry if you took offense. I'm fairly new to WordPress (but not software development). I do test on a test site, and I do look at changelogs (I didn't see a mention of this in the log), and everything was working fine. I just happened to be reading the rendered page source and saw this thing I didn't understand. I've heard lots of stories about WordPress sites getting hacked when not kept up to date, so I was worried that this was such a case. Maybe if there had been a comment in the generated code saying where it came from, along with a URL directing me to a post about it, I would have been able to find out what was going on right away and it wouldn't have bugged me.

    I'm sorry that you feel like this has been more trouble than it's worth.

  13. Josh
    Moderator and Editor Customizer
    Plugin Author

    Posted 3 years ago #


    Thanks. Well... I guess I'll have to start learning the Drupal CMS next ;) I've never worked with it before... but I have had a ton of people contact me asking if Ultimate Tinymce was available for Drupal.

    I think this would be a great time to start ;)


    No, not at all. Please, don't apologize! I am very sensitive of the long hours I have put into the development of Ultimate Tinymce. The feature I was going to add was still in testing.. and was not intended to be "live" on the site. This was my fault.

    I just think it's extremely "one-sided" that I pour my life (seriously, about ten hours a day) into development of these plugins.. and hoping to bring a feature that might make everyone involved some extra money... only to be ridiculed for it.

    Definitely not worth it, in my humble opinion.

    I do hope people continue to use my plugin.. and I must thank WP and everyone involved for the journey... but I honestly think it's time to begin focusing my development skills elsewhere.

    Thank you everyone for your responses here!! It's what keeps the community moving forward!

  14. mikeotgaar
    Posted 3 years ago #

    UTMCE for Drupal - Challenging. Make it a premium plugin!!!! And Joom as well - nearly all the good extensions are commercial
    I agree with you Josh, sometimes the lack of support and criticism is very dispiriting. I think we've got so used to WordPress things being free, working, and well supported, we overlook the time and effort that devs put in.
    Then a core change comes along as with 3.5, we update and things no longer work as expected - and we blame the contributors for not being on top of the changes. We overlook all the additional work involved in making the plugin compliant with the new core system, let alone the work and time involved in developing new features! But I guess this is getting off the subject, and before a moderator complains.... (apologies WordPress moderators)

  15. esmi
    Forum Moderator
    Posted 3 years ago #

    @mikeotgaar: FWIW, I couldn't agree more with your comments. :-)

  16. Josh
    Moderator and Editor Customizer
    Plugin Author

    Posted 3 years ago #

    @mikeotgarr: Thank you. That is refreshing, seriously! I hope you have kids... you are the "fatherly" type!

    @esmi: Thank you for your thoughts as well :)

    This is the reason why damn near every plugin in the repo has a PRO version. I often hear WP users complaining about how the need PRO this.. and PRO that.

    I wonder if we are moving forward... or hindering open-source development?

  17. ronbme
    Posted 3 years ago #

    I doubt that anyone has put in more time and effort on their plugin than Josh. Most people don't even know the half of it. Josh has sacrificed a lot more than most people know to develop this plugin.

    I wonder about open-source development myself. That would be a shame to see that end. We need young budding programmers to get their feet wet with open-source development and we need some of us old-timers to help them along.

    A lot of these "free" WordPress plugins are better than the paid software people throw their money away on. Trust me on that one. I've wasted more money on bad software than I care to think about.

    Josh has thrown just about everything into this plugin except the kitchen sink. Yeah, he tried something new. Instead of jumping on him with both feet and crying that the world is coming to an end, you could have posted to his private forum, as some did, and he would have explained.

    I would rather encourage good programmers to continue creating good software than trashing them for no benefit.

    Anyway, this is a great plugin and will continue to be.

    Keep up the good work, Josh!


  18. dcell59
    Posted 3 years ago #

    So you're trashing me over this? Let's have some perspective. I got this plugin from this site, which has a forum for this, and this was the topic discussing the issue.

    I expected it to improve the editor I use to edit my pages and posts, and then this "experiment" sticks hidden links to an options trading site in the UK and an online gambling site on my pages where the editor doesn't even reside. I think I had a right to be upset over this. I thought I handled it pretty calmly in the end.

  19. ronbme
    Posted 3 years ago #

    Well, if I didn't mention you by name then maybe I wasn't addressing this to you, right?

    I think you made some valid points. And I think you did handle it pretty calmly in the end.

    I just can't see some people trashing a very good plugin that is being used by over one million people. That's like throwing the baby out with the bath water, don't you think?

    There are too many plugins out there that people just aren't updating anymore for whatever reason. I think we should be encouraging, rather than discouraging, plugin authors to keep improving their plugins.

    Mike saw a problem with the plugin and asked Josh about it. Josh gave him an answer and also how to disable the feature.

    Giving a plugin author feedback is the way to do it. Bashing them about how one got "ripped off" by "free" software is not. (I'm not saying you did that.)

    It could be worse. You could have paid for the software, had it almost destroy one of your websites and then have the author not respond for over a month (and counting).


  20. mikeotgaar
    Posted 3 years ago #

    Very valid point about paid for plugins, themes and stuff - Some (a lot) are really poorly supported.
    I've recently had a commercial theme dev and a commercial plugin dev both say "it's a plugin/theme conflict" (WP3.5) - strange when the conflict was with a theme specially designed to use the plugin!
    It was simply an issue with the new java handling method in 3.5.

    On the other side - Josh's FREE plugin gave very few issues when 3.5 came out (well, none that I found anyway), and looks like it's already OK for 3.6

    I don't think the remarks were meant for you - your reports and replies were polite!

    I'm certainly not going to scrap a darn excellent and useful plugin because of a small undersight.

  21. ronbme
    Posted 3 years ago #

    Thanks Mike!

    Normally I try to stay ahead of Josh and set up the next version of WP for testing with Ultimate TinyMCE. I've been pretty busy lately and haven't even set up WP 3.6. Glad to hear that UT isn't having any conflicts. I do want to get WP 3.6 set up and check out some of the new features.

    It gets more complicated these days because you have to set up a WP MultiSite and single install of WP for testing. That's 2 for the current version of WP and 2 for the upcoming version.

    The reason you didn't see very many issues with Josh's plugin and WP 3.5 is because he had already tested it on that platform before it came out.

    I'm amazed that some software companies are still in business with the junk they put out. And they even put up forums but never respond to questions. Makes me wonder what they do all day.

    I never worry about that with Josh. He's so busy that he needs people telling him to slow down. I've had some ideas about new features in UT, but I don't tell Josh because I'm afraid he might put those on his todo list too. LOL!


  22. Josh
    Moderator and Editor Customizer
    Plugin Author

    Posted 3 years ago #

    @ronbme, @mikeotgaar : Thank you both! Very, very valid points.

    @dcell59 : No, I don't believe that remark was aimed toward you either :) You do raise some very valid issues.

    Bottom line : I forgot to make it an option. Simple as that. I wrote the code, tested it, got excited.. and forgot to make it an option.

    I have already cleared it with the mods... and we can re-enable this via am opt-in feature.. which was the original intent.

    This feature is going to allow everyone who uses ultimate tinymce to share their website links between each other. The link, which will only be seen by SEO bots, will be hidden off-screen with CSS. It will not be seen by the website owner, or any of the users. It is simply an "insider" (ultimate tinymce) link sharing feature. The casino was something from my testing. No one else will be allowed to use this... unless they are also using Ultimate Tinymce.

    This is proven to be one of the fastest ways to get websites better indexed by search engines.

    But... I don't know. Again... do I want to spend all my time developing another awesome feature.. which might get me ridiculed again?? Not sure... lol.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Ultimate TinyMCE
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic