WordPress.org

Support

Support » Reviews » My site got hacked after installing this. TWICE

My site got hacked after installing this. TWICE

  • thanushka
    Member

    @thanushka

    This plugin compromise the security of the login and create double logins. Do not use this and stay away. My site got hacked after installing this plugin.

    – The plugin did not have anything to do with the hacks directly. But I learned that (addressed on a different post) it did have a problem with how the password was printed which could well be the reason. The plugin developer promptly (and kindly) fixed the password issue. I will update my review once I test it again.

    I downloaded the new sidebar login (2.5) and has been using it since yesterday. No problems so far. No double logins, no sudden log-offs etc. But I did not log in to the site admin through that. I think it’s an excellent plugin and will update my review in couple of weeks.

Viewing 15 replies - 1 through 15 (of 31 total)
  • esmi
    Forum Moderator

    @esmi

    Your site being hacked is not an indication of a security issue in a any plugin unless you have concrete evidence – in which case you should be contacting plugins [at] wordpress [dot] com with all relevant details.

    thanushka
    Member

    @thanushka

    My website is http://www.blissfulinterfaces.com/. I installed this plugin early last year. I logged in through the sidebar plugin’s login, and everything seemed fine. A while later I was asked to re-login. I thought it was fishy but I did it anyway. It was too late when I realized the plugin had redirected me to a site called http://fivemonkeyquilts.com/
    from that moment my domain was redirecting to http://fivemonkeyquilts.com/!!! (You will see that that domain redirects to my site now, what’s the point of that anyway?? lol)

    Then I had to do everything in the world to get that fixed. I did think it must be this plugins so I uninstalled it. Today I was looking for a quick login widget and installed this again. ( I did feel the name sounded familiar but I didn’t really think my assumption was right that with so many positive feedback). So long story I almost got hacked again. The login in this plugin log you in and then redirect to a fake login to steal the password.

    I’m not 100% sure that this plugin is associated with login stealing. But I know for sure that this plugin at least creates some security hole in wordpress. So users beware.

    I don’t see anything, but I’ve posted this for the plugin review team to look at just in case.

    ETA: If you have not YET, change ALL your passwords.

    thanushka
    Member

    @thanushka

    I appreciate that… I’m certain about the relationship between installing this plugin and getting redirected to fivemonkeyquilts. Plus I saw some more people complained about security holes in this plugin (It was too late when i saw those)

    It seriously messed up my wp-login. (keep making me log in several times) Now I’m trying to figure out how to fix it…

    @thanushka I’m a plugin reviewer for WordPress.org and I’ve just reviewed every line of code in this plugin. It’s not possible that this plugin was responsible for the hack.

    I suspect what happened is that you had a second plugin, or a piece of malicious code inside of your theme (or WordPress core files) that was designed to intercept the login process (quite easy for someone to do if they know how and have gained access to your site). This would have made it appear to be this plugin, but in reality, the same thing would have happened regardless of how you logged into your site.

    thanushka
    Member

    @thanushka

    We too checked the code and could not find anything directly related to the security breach, which is why I did not report. In fact, that is why I reinstalled this plugin few weeks after the first time the site got hacked and fixed. But after installing and using the side bar login once, it happened again.

    I do not think the plugin itself does the hacking, but I’m certain it make wordpress login vulnerable. Did you check how does the plugin pass the passwords etc? Is that secure? I noticed several people complained about it.. (My blog isn’t even a popular blog and it only has a few responsive design related articles that comes #1 in google). So I really don’t think anyone’s purposely trying to hack it.. What’s the point? lol

    I didn’t have any issues since I removed this plugin (twice last year) and got the login / redirect problem fixed UNTIL yesterday I accidentally installed the same plugin again for the 3rd time and almost got hacked.. It’s like installing this plugin activates some security vulnerability… I’m on Mac OS X, so perhaps it’s vulnerability is related with that.. (The first time I got hacked was after logging to the admin from iPad)

    thanushka
    Member

    @thanushka

    The first and secound time my site got hacked (last year) I was using a theme I wrote from scratch. So it cannot be my theme. My current theme does have some code written by others but everything was fine until yesterday…

    esmi
    Forum Moderator

    @esmi

    So it cannot be my theme.

    Why? No one is perfect and it’s entirely possible that your theme did contain a security hole of one type or another.

    thanushka
    Member

    @thanushka

    I just found out that after installing the plugin this redirect was written on my .htaccess file, which use to be fine just a few days ago..

    <IfModule mod_rewrite.c>
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{HTTP_REFERER} ^http://www.fivemonkeyquilts.com/more-about-joomla/30-the-community/46-angela-lamoree [NC]
    RewriteCond %{HTTP_REFERER} ^http://www.fivemonkeyquilts.com/ [NC]
    RewriteRule . /index.php [L]
    </IfModule>
    
    RewriteEngine on
    # Options +FollowSymlinks
    RewriteCond %{HTTP_REFERER} fivemonkeyquilts\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} LoisVowelstopsoilhockessin5.posterous\.com[NC,OR]
    RewriteCond %{HTTP_REFERER} s.nsdsvc\.com
    RewriteRule .* - [F]
    thanushka
    Member

    @thanushka

    That’s true. But every time I installed this plugin and used it at least once, same thing happens. I used my theme for over a year before I installed this plugin and got hacked instantly. and having it happend twice and having it almost happened for the 3rd time seem to be too much of a co-incident to me. Besides I’m not the only one (even though I’m one of the very few) who complain about the security of this plugin, specially how it pass user login data.

    esmi
    Forum Moderator

    @esmi

    There’s nothing in the plugin that touches the .htaccess file. That’s simply not how the plugin works. In fact, it doesn’t make any changes to any file on the server at all.

    esmi
    Forum Moderator

    @esmi

    specially how it pass user login data.

    Can you elaborate?

    The plugin is secure. I reviewed every single line. It uses the same methods for for logging a user in as WordPress core does.

    The plugin does nothing more (in essence) than output the core WordPress login forms in the sidebar.

    esmi
    Forum Moderator

    @esmi

    It uses the same methods for for logging a user in as WordPress core does.

    Thank you. That was my conclusion too.

    thanushka
    Member

    @thanushka

    I still stand by my observation, having had it happened 3 times. Installing this plugin did messed up my login, plus everything else I mentioned. I feel it’s somewhat similar to what happened with timthumb, a perfectly good plugin which created a security hole. If anyone wants to try it it’s up to them. I’ll update here if I found out how exactly it happens.

Viewing 15 replies - 1 through 15 (of 31 total)
  • The topic ‘My site got hacked after installing this. TWICE’ is closed to new replies.