Support » Plugin: iThemes Security (formerly Better WP Security) » [Plugin: Better WP Security] Site hacked despite plugin

  • Resolved halasy


    My site just got hacked despite this plugin.

    I got viagra links placed into a text widget. The text widget was already on my site with normal links, so I’m not sure whether they were changed by hand, or robot.

    Don’t know the details yet, I have not the slightest idea how they got it, since I have everything enabled that I could in the plugin. Some thinks I could not enable, since they caused a conflict with other functions.


Viewing 6 replies - 1 through 6 (of 6 total)
  • I just found the hack,, wp-includes/pluggable.php was hacked.

    An encoded line was inserted onto line 2, the bad part is I don’t really know how it got there:

    [ Thanks, but do not post malware code here at these forums. ]

    All hackers’ hands should be cut off!

    Anyone have any idea how it got there?

    It’s possible you misunderstand how these securtiy plugins work. Plugins like Better WP Security, Bulletproof Security (which I’m a bigger fan of) are helper plugins at best. If your FTP password is stolen somehow no plugin can prevent hacker from simply uploading their hacks. So putting all your trust into plugins being a firewall against hackers is like buying a steel front door for your home then believing that will stop a burglar even though you often leave your windows unlocked at night.

    That said, it’s morel likely hacker hacked your website through some other means, like a stolen admin user/pass or FTP user/pass, or even another plugin.

    As far as I’m aware, and I live in the WP hack repair business 24/7, this plugin is just fine and while I don’t generally promote it I’m not aware of any other person stating this plugin was used to hack their site. IMHO that’s very unlikely.

    Links in a text widget though tend to indicate your dashboard admin user/pass was compromised. Recommend checking your account and verifying have just the one admin level account set up, and update your passwords respectively.

    Of course, once hacker has your dashboard login, they can edit or delete any file on your website. Editing a security plugin file would be something I would do if I was a hacker (to poke fun at so called security plugins)…

    Thanks for your reply, the reason I don’t think it was a leak of my FTP credentials is because I have several sites under that user account, and none of them were affected. Or at least as far as I can tell for now.

    I did have an outdated timthumb script up on the site in question though, it was a version which had the big security issue, they may have gotten in through there?

    I’ll probably never know…

    Oh, and you may have misunderstood: “…I’m not aware of any other person stating this plugin was used to hack their site…”
    I didn’t imply that Better WP Security was used to hack my site, I said that the plugin didn’t provide enough security patches to prevent someone from hacking in through other means.

    I’m sorry to har about this. The nature of the security is that this plugin, and in fact no plugin or other solution, can protect against every attack. If you do in fact determine how they got in please let me know so that I may in fact include a countermeasure in future versions so that others might not have the same issue.

    Hi Jim,

    Plugins like Better WP Security, Bulletproof Security (which I’m a bigger fan of)

    This isn’t really related to this thread (sorry all), but couldn’t see an email/ contact form your your website (and I’m not in the US, otherwise I’d call) so here goes…

    I’d be fascinated to here why you’re a bigger fan of Bulletproof Security. Be great if you could write a blog post comparing and contrasting them both!





    Something I want to add, perhaps not much help.

    When I started to learn web design, I was using free webhosting. It’s free and provides lots of great feature. But now I won’t try not event think about to use free webhosting.

    Without asking my permission, they (I mean the webhosts) did inject some ads into my database.

    Here I want to say, this plugins also some other security plugins, they do improve your security. But none can guarantee 100%.

    Are you (halasy) using free webhost?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[Plugin: Better WP Security] Site hacked despite plugin’ is closed to new replies.