Support » Plugin: Ultimate TinyMCE » Hacked?

  • Resolved mikeotgaar


    Josh – Your plugin may have been hacked – Version 4.3 to (maybe others)

    When active, a link is being placed in the footer area <p style="position: absolute; top: -987px (and other similar values)">By Castglosvb (and other names) <a href="(to casino and options trading sites" title="casino online (and other)">online casino (and other)</a></p> Link removed

    The name, title and link changes with each page refresh

    The link is placed in the same footer region as the “Powered by WordPress” etc

    I’ve checked this on 2 live sites as well as a fresh install WP3.6 Beta test site and confirm all have this action. Disabling the plugin stops the link embed. I downloaded fresh copies from the repository and confirm both 4.3 to have these bad links

    I’ve posted a list of discovered links and names etc, and a copy of the html page so you can see the original source code from my dev site page (line 143) at

    I’m going back to ver 3.0 (This version is clean) in the meantime for my live sites.

Viewing 15 replies - 1 through 15 (of 21 total)
  • Plugin Author Josh


    Moderator and Editor Customizer

    Hi Mike,

    Long time… no talk 🙂 I hope all is well with you! You have been a big support to me along the past sixteen months.. and I won’t let so much time lapse before we talk again next time!!

    I am working on a renovation of the plugin. It’s time to give it a “makeover”.

    I am working on implementing three various projects into Ultimate Tinymce. Of course, each one of these will be completely up to the user if they choose to use them or not.

    One of these will be a “link sharing” project. This will take the link of your website.. put it into a “cache”.. and add it to the rotation.

    This is going to be one of the simplest ways of getting your sites ranked higher in the search engines.

    Again, this option will be completely up to the user of whether or not they wish to participate… and we will also be giving a monthly “giveaway” for users who choose to participate. I’m thinking something like $200 a month prize. PLUS your site is getting ranked better.

    It is an experiment.. and I’m not sure what to expect… or even if it will work. But, in order to get some “tangible results”… I had to setup the code so I can monitor it on the other end.

    I hope this helps clarify. You should know, more than anyone, that I’m completely transparent 😉

    Lastly… I want you to stay current with the LATEST version. So, you can always remove the code that performs that function. Open up the “main.php” file, and comment out line #54. This will remove the check.. and not generate anything from that piece of code.

    Please let me know when you have done this, and verified it is not affecting your sites.

    Thank you, Mike!

    Hi Josh, nice to here from you, and thanks for the very fast response

    I was concerned the plugin had been hacked without your knowledge…

    The fix above worked on my 3.6 dev site – I’ve already backdated my customers (before they started panicking and telling me I’d let their sites get hacked 🙂 ) and my own WP sites this afternoon – will go back to latest version tomorrow on my own sites (Getting late here and still have work to get through)

    PLEASE – next time give a heads up about this sort of thing – I spent a lot of time today checking a site as I thought it had been hacked, only found the thing with the plugin after scanning the files and database, then disabling themes and plugins. Sort of fun
    I can foresee other users getting cheesed off though…

    I’d be happier to keep the function on one of my own sites if I could make the links visible, and put them in a block somewhere with some comment about a test function… Pity there’s no class attached or it would be simple with CSS overrides.

    Nice to see UTMCE working OK – so far – on a vanilla WP3.6 install

    This is complete BS and a total abuse of people trusting you as a developer.

    You are injecting links to other websites without permission from the unsuspecting user who installed your plugin. There is absolutely no mention on this anywhere but when people ask questions, and I had to track it down myself.

    No type of cache, same exact links, and the code in that PHP file does nothing to even “submit” the website for this so called “cache”

    This also contradicts everything you said on the forum which makes me believe this is just a stunt to sell backlinks on people’s websites who trusted your plugin.


    You should NEVER attempt to inject or load offsite files and i’m very disappointed with you as a developer.

    I consider this MALICIOUS software.

    Plugin Author Josh


    Moderator and Editor Customizer


    You are correct. I am already building a post on my site explaining all the details and usage. It will outline the project… and provide very detailed examples of how everything will work.


    As I mentioned in my comment above, I am testing this. There was simply no way for me to see how this would work until I got some feedback on the amazon site.

    I will remove this feature from the plugin. Obviously, it is not going to be well accepted… and will probably be a complete waste of my time… even though I have the best intentions.

    Once I have coded it as an option.. and allow users the choice of entering into the feature… I will bring it back.

    Thank you both very much for your invaluable feedback!

    NOTE: I have had this plugin up for a year and a half. I am a very skilled developer. If I wanted to use my programming knowledge for the “dark side”… I would have done it LONG ago. That is not my intentions, whatsoever.

    Please allow me a day or two for an update.

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    As I mentioned to Josh in email, not only is it not well accepted, it’s not permitted if your plugin is hosted here. But it’s being taken care of, so no need to pile on Josh 🙂

    Well, I guess I’m glad to hear that it’s being taken care of, but it sure scared the heck out of me. I ran across this yesterday and after a sleepless night I was able to figure out what was causing it. Sadly, I just don’t think I can trust this plugin again, and now I’m going to be checking my pages sources every time I add a plugin.

    Plugin Author Josh


    Moderator and Editor Customizer


    It does amaze me how many people “come out of the woodwork” when there is an issue with this plugin. It is really forcing me to consider leaving WP and moving on to something a little more “supported” by end users.

    I have spent a year and a half on the development of this plugin… I have received about a total of $170 in donations during that time. It is simply not worth it to me to continue development of this project.

    So, I’m not sure what the future of Ultimate Tinymce will be… but, I would always strongly suggest reading plugin changelogs, and even running plugins through a “test site”, to ensure they work properly after updates.

    I run many sites.. and always update plugins in my testing environment first.

    Still the best WYSIWYG plugin for WordPress… We all make mistakes at times

    Plugin Author Josh


    Moderator and Editor Customizer

    Thanks Mike!!

    Hey Mike, check out this editor:

    What do you think about this “Word” lookalike??

    Very interesting – better than Word 2011 LOL

    I like the remarks below RE Drupal and Joomla… I would love a version of UT with all the options for Drupal especially – the tinymce editor for Drup 7 is a bit scrappy in my opinion – also lacks some of the more useful features from your plugin e.g. the CSS button. I find I’m switching between tiny and CKE when setting content with Drup.

    Sorry if you took offense. I’m fairly new to WordPress (but not software development). I do test on a test site, and I do look at changelogs (I didn’t see a mention of this in the log), and everything was working fine. I just happened to be reading the rendered page source and saw this thing I didn’t understand. I’ve heard lots of stories about WordPress sites getting hacked when not kept up to date, so I was worried that this was such a case. Maybe if there had been a comment in the generated code saying where it came from, along with a URL directing me to a post about it, I would have been able to find out what was going on right away and it wouldn’t have bugged me.

    I’m sorry that you feel like this has been more trouble than it’s worth.

    Plugin Author Josh


    Moderator and Editor Customizer


    Thanks. Well… I guess I’ll have to start learning the Drupal CMS next 😉 I’ve never worked with it before… but I have had a ton of people contact me asking if Ultimate Tinymce was available for Drupal.

    I think this would be a great time to start 😉


    No, not at all. Please, don’t apologize! I am very sensitive of the long hours I have put into the development of Ultimate Tinymce. The feature I was going to add was still in testing.. and was not intended to be “live” on the site. This was my fault.

    I just think it’s extremely “one-sided” that I pour my life (seriously, about ten hours a day) into development of these plugins.. and hoping to bring a feature that might make everyone involved some extra money… only to be ridiculed for it.

    Definitely not worth it, in my humble opinion.

    I do hope people continue to use my plugin.. and I must thank WP and everyone involved for the journey… but I honestly think it’s time to begin focusing my development skills elsewhere.

    Thank you everyone for your responses here!! It’s what keeps the community moving forward!

    UTMCE for Drupal – Challenging. Make it a premium plugin!!!! And Joom as well – nearly all the good extensions are commercial
    I agree with you Josh, sometimes the lack of support and criticism is very dispiriting. I think we’ve got so used to WordPress things being free, working, and well supported, we overlook the time and effort that devs put in.
    Then a core change comes along as with 3.5, we update and things no longer work as expected – and we blame the contributors for not being on top of the changes. We overlook all the additional work involved in making the plugin compliant with the new core system, let alone the work and time involved in developing new features! But I guess this is getting off the subject, and before a moderator complains…. (apologies WordPress moderators)



    Forum Moderator

    @mikeotgaar: FWIW, I couldn’t agree more with your comments. 🙂

    Plugin Author Josh


    Moderator and Editor Customizer

    @mikeotgarr: Thank you. That is refreshing, seriously! I hope you have kids… you are the “fatherly” type!

    @esmi: Thank you for your thoughts as well 🙂

    This is the reason why damn near every plugin in the repo has a PRO version. I often hear WP users complaining about how the need PRO this.. and PRO that.

    I wonder if we are moving forward… or hindering open-source development?

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘Hacked?’ is closed to new replies.