IT GETS YOUR SITE HACKED!!!!!!!! DON’T INSTALL

As a User Role Editor (URE) plugin developer I confirm, that the evidence should be shown, that URE is involved into the issue before send such awful title.

I tried to put for @afrooz the information that site may be hacked earlier, before he installed URE, and there are a plenty ways, how site may be hacked, but without luck.

To @afrooz: You may hate the plugin and send zero review, it’s your right. But any blame should have evidence, that attack via plugin is possible on the clean (not hacked) WordPress installation, not just a capital letters in the title.

@afrooz,

That’s my mistake, that I mixed up the authors of this review and post to the URE support forum. I apologize for that.

Yes, I am not your enemy too, nothing personal, just a business.

I just tried to tell you that, you wrote here about the result only – your site was hacked and SPAM was sent. But you wrote nothing about a reason of this bad and sad event, except that you think that it may be linked to the fact that you installed User Role Editor recently.

Is it the only plugin installed at your site?

Do you know that there are a lot of other ways to place to the site a .php file with malicious code and not always this is made via installed plugins? It’s possible via holes in a operating systems, vulnerabilities inside HTTP or database servers. If site is installed at the shared hosting, intruder can get access to yours and other sites after he hacked the weakest site (not updated for the years) placed at the same host. There are users with administrative privileges, access to hosting control panels, FTP access, but very weak passwords. Etc., etc., …

Do you know when your site was hacked really? Thousands of hacked sites do nothing suspicious for decades. Potential SPAM senders just sleep until their owner (hacker) will have a new SPAM sending deal paid and send a command for the bots net to start a new campaign.

This is a reason, why I asked about the evidence that User Role Editor is really involved to the described issue. Without that “awful plugin” capitals at your review note is just aggressive emotions. Similar as a call do not use (for example) Windows or Linux, be cause of vulnerabilities are discovered and fixed at this software from time to time.

I look at the security of the code very seriously and react on any related issues with the highest priority. You should know that wordpress.org plugins review team removes any vulnerable plugin from the repository immediately after they receive a description of vulnerability. Plugin may be returned to repository just after all discovered vulnerabilities were fixed. So serious developer can not ignore this.

User Role Editor code went through external security audit recently. I follow all security recommendations during development. I understand that as any other software my plugin may have vulnerabilities. I review a code and try enhance it almost permanently. But I can not search a black cat inside a dark room.

As a developer you understand that thousands of emails are not sent manually. That was made by code. You should understand that, if someone placed a code to your site, it’s easy to add any user with any authority without any plugin.

Do you have a backup copy of your site in a hacked state? Did you try to check it for the external files which do not belong to WordPress, themes and plugins installed? Did you try to understand how and when they appear at your site file system? May be you have a list of archived backup copies for a month or two and can compare them for the malicious file(s) presence to make conclusion about the approximate date, when site was hacked and how it’s related with URE plugin installation?

@alexholsgrove – Thank you.