Title: Plugin hacked
Last modified: August 21, 2016

---

# Plugin hacked

 *  [igloobob](https://wordpress.org/support/users/igloobob/)
 * (@igloobob)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/plugin-hacked-1/)
 * Hello,
 * I just got a message from my client. The were contacted from another company 
   who had their site hacked. They had used sucuri to identify that loads of html
   files had been loaded into a scripts folder within the limit-login-attempts plugin
   folder. The infection got in through an inserted line in limit-login-attempts.
   php.
 * The html files in the new scripts folder were all retail things for Christian
   Louboutin shoes and similar things. There were about 50 files.
 * I went to check the site and the login page had been blocked due to to many attempts–
   I hadn’t attempted any log in on that site for a few weeks.
 * Is there a security flaw on this plugin now? I have deleted it and all the files
   in the meantime.
 * Has anyone else come across this?
 * [https://wordpress.org/plugins/limit-login-attempts/](https://wordpress.org/plugins/limit-login-attempts/)

Viewing 15 replies - 1 through 15 (of 38 total)

1 [2](https://wordpress.org/support/topic/plugin-hacked-1/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/plugin-hacked-1/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/plugin-hacked-1/page/2/?output_format=md)

 *  [ikeif](https://wordpress.org/support/users/ikeif/)
 * (@ikeif)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581718)
 * Yup – I had to delete it as well, I had a bunch of html files (including those
   you mentioned) added, and a third party contacted me tracing the link jumps.
 * I don’t know if this will get straightened out, but I’m looking at alternatives
   now.
 * I was sent this:
    Infection got through:
 * ./blog/wp-content/plugins/limit-login-attempts-S/limit-login-attempts.php
    The.
   php file contained the following malicious code loading lots of .html files (
   ~ 184 files) within the directory ‘./blog/wp-content/plugins/limit-login-attempts-
   S/scripts/’: ================================================================
   ==================
 *     ```
       $rand_dir=array_rand($dir,3);
       foreach($rand_dir as $t_num) {
       echo '<a href=&quot;'.home_url().'/?pid='.$dir[$t_num].'&quot;
       target=&quot;_blank&quot;>'.str_replace('.html','',str_replace('-',' '
       ,$dir[$t_num])).'</a>';
       }
       ```
   
 *  [DDDDD](https://wordpress.org/support/users/bestfrenchmortgage/)
 * (@bestfrenchmortgage)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581719)
 * Hi guys, were you using LLA ver 1.7.1 or an earlier release?
 *  [ikeif](https://wordpress.org/support/users/ikeif/)
 * (@ikeif)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581721)
 * I was using 1.7.1
 *  [bpmildh](https://wordpress.org/support/users/bpmildh/)
 * (@bpmildh)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581722)
 * There is something funny about the path in ikeif post (limit-login-attempts-S).
   Where did the trailing -S came from?
 *  Thread Starter [igloobob](https://wordpress.org/support/users/igloobob/)
 * (@igloobob)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581723)
 * I’m away at the moment so can’t check but I’m pretty sure it was the latest version
   as I had all plugins updated.
 * That trailing -s I also had on mine, must be connected to the hack?
 *  [bpmildh](https://wordpress.org/support/users/bpmildh/)
 * (@bpmildh)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581725)
 * You should ask yourself some more questions igloobob:
    Where both folders in 
   the plugin directory (with and without -S)? What other files/folders had been
   added or changed the unattended period? What permissions do you have on files/
   folders? Did you check the company behind the complaints? What protection do 
   you use insted of LLA?
 * The plugin file do not contain the code in ikelfs post.
 * I’m no expert but I rely on this plugin and did check my installs and the files
   on wordpress.org. This could be in the intrest of those trying to hack our sites,
   compromising one of the metods we have to stop them.
 * One could only ask for the developer to update the plugin (description?) to clarify
   that it’s not outdated.
 *  Thread Starter [igloobob](https://wordpress.org/support/users/igloobob/)
 * (@igloobob)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581735)
 * Both folders were not in the directory, the folder had been re named adding that-
   S on.
 * The only files as far as I could tell that were changed were:
 * 1. limit-login-attempts.php (a few lines of code were inserted here that apparently
   were the cause of the new scripts folder and html files within that folder).
 * 2. a scripts folder was created containing these html files that were generated
   by the inserted line of code mentioned in point 1 above.
 * Permissions I would have to check as the client’s host controls that and has 
   it set up where I haven’t been able to change them myself. They have it tied 
   up pretty tight as far as I can tell as I’ve had to get them to do all sorts 
   for me that I would usually be able to do myself.
 * I haven’t checked the company myself actually but everything they said to us 
   seemed correct.
 * Currently, we’ve changed all the logins including FTP and are using proper secure
   passwords (we were anyway actually).
 * We’ve added password protection onto the log in area with .htaccess.
 * I’ve deleted the plugin and all files now.
 * Correct, the plugin file does not contain that code. That code has been inserted
   via a hack we assume?
 * I’m away at this week so can’t check all details but the above i correct as far
   as I can remember.
 *  [richsadams](https://wordpress.org/support/users/richsadams/)
 * (@richsadams)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581749)
 * I’m using LLA on two sites and haven’t had any issues, but based on your posts
   I’m going to delete the plugin on both sites as well.
 * I’ve had sites hacked before and I do NOT want to deal with it again.
 * I want to hear from the LLA developer that this has been resolved before I use
   it again.
 *  [Julian Fox (greataussiepie)](https://wordpress.org/support/users/greataussiepie/)
 * (@greataussiepie)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581756)
 * iv noticed this plugin doing some funny things too, like users being able to 
   get around the lockout after login attempts is reached. im gonna uninstall this
   just to be safe.
 *  Thread Starter [igloobob](https://wordpress.org/support/users/igloobob/)
 * (@igloobob)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581757)
 * Still no word from the plugin author on this…
 *  [rick111](https://wordpress.org/support/users/rick111/)
 * (@rick111)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581763)
 * Any response from the plugin developer? Should we scrap this plugin?
 *  Thread Starter [igloobob](https://wordpress.org/support/users/igloobob/)
 * (@igloobob)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581764)
 * I’ve sacked it off, can’t be messing about waiting for a response on security
   issues
 *  [rick111](https://wordpress.org/support/users/rick111/)
 * (@rick111)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581765)
 * Any alternatives? Yopu said that you “We’ve added password protection onto the
   log in area with .htaccess.”. But what about if you have blog users that need
   access?
 *  Thread Starter [igloobob](https://wordpress.org/support/users/igloobob/)
 * (@igloobob)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581766)
 * not sure to be honest sorry, my client’s site in question doesn’t have any blog
   users, it’s only got a few admins within the company that need access to the 
   backend.
 *  [rick111](https://wordpress.org/support/users/rick111/)
 * (@rick111)
 * [12 years, 2 months ago](https://wordpress.org/support/topic/plugin-hacked-1/#post-4581774)
 * Does anyone have the email of the developer?

Viewing 15 replies - 1 through 15 (of 38 total)

1 [2](https://wordpress.org/support/topic/plugin-hacked-1/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/plugin-hacked-1/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/plugin-hacked-1/page/2/?output_format=md)

The topic ‘Plugin hacked’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/limit-login-attempts.svg)
 * [Limit Login Attempts](https://wordpress.org/plugins/limit-login-attempts/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/limit-login-attempts/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/limit-login-attempts/)
 * [Active Topics](https://wordpress.org/support/plugin/limit-login-attempts/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/limit-login-attempts/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/limit-login-attempts/reviews/)

## Tags

 * [brute force](https://wordpress.org/support/topic-tag/brute-force/)

 * 38 replies
 * 18 participants
 * Last reply from: [WPDogger](https://wordpress.org/support/users/wpdogger/)
 * Last activity: [11 years, 6 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/3/#post-4581818)
 * Status: not resolved