Title: Plugin hacked
Last modified: August 21, 2016

---

# Plugin hacked

 *  [igloobob](https://wordpress.org/support/users/igloobob/)
 * (@igloobob)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/plugin-hacked-1/)
 * Hello,
 * I just got a message from my client. The were contacted from another company 
   who had their site hacked. They had used sucuri to identify that loads of html
   files had been loaded into a scripts folder within the limit-login-attempts plugin
   folder. The infection got in through an inserted line in limit-login-attempts.
   php.
 * The html files in the new scripts folder were all retail things for Christian
   Louboutin shoes and similar things. There were about 50 files.
 * I went to check the site and the login page had been blocked due to to many attempts–
   I hadn’t attempted any log in on that site for a few weeks.
 * Is there a security flaw on this plugin now? I have deleted it and all the files
   in the meantime.
 * Has anyone else come across this?
 * [https://wordpress.org/plugins/limit-login-attempts/](https://wordpress.org/plugins/limit-login-attempts/)

Viewing 15 replies - 16 through 30 (of 38 total)

[←](https://wordpress.org/support/topic/plugin-hacked-1/?output_format=md) [1](https://wordpress.org/support/topic/plugin-hacked-1/?output_format=md)
2 [3](https://wordpress.org/support/topic/plugin-hacked-1/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/plugin-hacked-1/page/3/?output_format=md)

 *  [MaFt](https://wordpress.org/support/users/maft/)
 * (@maft)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581780)
 * Client’s site had this too. I’ve now deleted the plugin.
 *  Thread Starter [igloobob](https://wordpress.org/support/users/igloobob/)
 * (@igloobob)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581781)
 * I’ve emailed Johan to see if he is aware of this issue.
 *  Plugin Contributor [johanee](https://wordpress.org/support/users/johanee/)
 * (@johanee)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581782)
 * Hi,
 * Thanks for sending me a notice.
 * I’ve not seen reports like this before, and will investigate. If you have any
   additional information please send it my way.
 * Thanks,
    Johan Eenfeldt
 *  [WordDug](https://wordpress.org/support/users/worddug/)
 * (@worddug)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581783)
 * Hi,
 * Is there any news on this. I have disabled the plugin until I see confirmation
   that this security issue is resolved.
 * thanks
 *  [rick111](https://wordpress.org/support/users/rick111/)
 * (@rick111)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581787)
 * Johan,
 * Is it safe to use your plugin or the rumors are spread purposely?
 * Thanks
 *  [Iamhere](https://wordpress.org/support/users/iamhere/)
 * (@iamhere)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581797)
 * This plugin is over two years old and does not appear to have been updated, therefore
   it has been abandoned. The Author may well have moved on (no offense meant johanee)
 * PHP code has changed a lot over the last two years, and any plugin that hasn’t
   been updated in that time should be considered unsafe.
 * I have been recommended this plugin – though I have nothing to do with it, and
   have not tried it, so I cannot vouch for it, but it certainly seems comprehensive(
   though perhaps a bit more complex than the limit logins plugin!)
 * [http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/](http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/)
 * The other obvious alternative is [http://wordpress.org/plugins/wordfence/](http://wordpress.org/plugins/wordfence/)
 * Not used either, so can’t comment – yet!
 *  [Rolf Allard van Hagen](https://wordpress.org/support/users/ravanh/)
 * (@ravanh)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581798)
 * [@all](https://wordpress.org/support/users/all/) – please be aware that:
    1. 
   The malicious code is not in the original plugin file. It has been put there 
   through a hack. 2. The fact that it is inside a security plugin file is ironical(
   to say the least) but does NOT necessarily mean that the plugin is insecure. 
   The leak might just as well be in any other file… 3. A chain is as strong as 
   its weakest link. Removing one link, without being sure it is the weakest, will
   not make the chain stronger.
 * That said, I’d really like to hear back from Johan Eenfeldt about his findings.
   And if development of this plugin continues because it remains an increasingly
   useful one.
 *  [Julian Fox (greataussiepie)](https://wordpress.org/support/users/greataussiepie/)
 * (@greataussiepie)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581799)
 * `wpengine.com` use this on all their WordPress installations by default, i haven’t
   had any problems with them, and herd mostly good things.
 * They also like to be a bit picky about what you can and cant do with your WordPress
   so im confident they know what they are doing with limit login attempts. However
   they may modify it, i don’t know.
 * Haven’t seen any issues with this plugin on any of my sites since i reported 
   this so i dunno, maybe it was a plugin conflict that went away with an update
   of another plugin.
 *  [Benny](https://wordpress.org/support/users/bvl/)
 * (@bvl)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581800)
 * IMHO, this all comes down to:
    1. the plugin itself does **not** suffer from a security breach and is safe to 
       use
    2. some hackers seem to target this popular plugin to _hide_ some malicious code
       in. They probably target another plugin on your system if you remove it.
 * So, if you have been hacked this way, be aware that your site does suffer from
   a security breach, but it is unlikely that that is a leak inside the original
   plugin code.
 *  [ikeif](https://wordpress.org/support/users/ikeif/)
 * (@ikeif)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581801)
 * As one of the original people reporting this from the plugin “being hacked” –
   this isn’t “malicious rumors” but “cause for concern.” As the WordPress API has
   been updated repeatedly, and the plug-in has not in two years, it creates the
   cause for concern that it may be using insecure or deprecated methods that can
   create the potential for it to be targeted and hacked.
 * Two independent users (myself and igloobob) encountered this issue. I have emails
   from a third party notifying me of the breach:
 * > You may view the external back link by looking at the source of the page.
    
   > Please know that we rectified the infection by having [http://www.sucuri.net&lt](http://www.sucuri.net&lt);
   [http://www.sucuri.net/&gt](http://www.sucuri.net/&gt); disinfect our blog and
   the infected pages. In order to assist you, we have provided you with information
   and coding below if your blog or site has been impacted by the infection spread
   by these hackers: > ======================================================> >
   Infection got through: > > ./blog/wp-content/plugins/limit-login-attempts-S/limit-
   login-attempts.php > > The .php file contained the following malicious code loading
   lots of .html files (~ 184 files) within the directory > > ‘./blog/wp-content/
   plugins/limit-login-attempts-S/scripts/’: > =================================
   ================================================= >
 *     ```
       > $rand_dir=array_rand($dir,3);
       >
       > foreach($rand_dir as $t_num) {
       >
       > echo '<a href=&quot;'.home_url().'/?pid='.$dir[$t_num].'&quot;
       >
       > target=&quot;_blank&quot;>'.str_replace('.html','',str_replace('-',' '
       > ,$dir[$t_num])).'</a>';
       > }
       >
       ```
   
 *  =====================================================================
    > We 
   have taken this attack on our website blog from these hackers very seriously.
   We suggest that you forward this letter to the appropriate individual who handles
   the technical and security issues with regard to your website. > > It is our 
   understanding in addressing this issue with our webmaster and security team is
   that by removing the above coding as well as the html files within the script
   directories, any potential risk or exposure to your site from these hackers should
   be alleviated. >
 * So I think it’s a bit presumptuous to say “the plugin doesn’t suffer from a security
   breach and is safe to use” if you are not performing a full code and security
   audit on it, and then pushing blame on other plugins.
 * You *could* be correct. Or you could be very incorrect, asserting a false assumption,
   and the plugin needs updating.
 * Personally, I’m reviewing the code to see if I can update it myself, as time 
   permits, but as I’m not the author, it is not a priority of mine (and as it is
   a free plugin, I don’t expect johanee to make it a priority, either).
 *  [Benny](https://wordpress.org/support/users/bvl/)
 * (@bvl)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581802)
 * It is my concern that with this kind of hack people are blaming this plugin and
   think removing it is all they need to do to be safe again, while the real security
   problem *may* (in my _opinion_ even more likely) be with another part of their
   system.
 * Maybe we can agree that it would be best if both the plugin would get a thorough
   code and security audit AND people who ended up with a hacked ‘Limit Login Attempts’
   plugin also seriously look at other possible _origins_ for the hack, okay?
 * 😉
 *  [Iamhere](https://wordpress.org/support/users/iamhere/)
 * (@iamhere)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581803)
 * Thanks to the moderators, my previous post was removed. So much for free speech–
   Dear moderators – do you enjoy censorship – perhaps you should move to Beijing?
   And not even any notification that my post was not allowed (presumably because
   I mentioned a couple of alternative plugins?)
 * The point I was making is that this plugin has been very useful, but it is out
   of date – over 2 years old. There are other alternatives out there, such as Wordfence
   and All in one security plugin, however, what I loved about this plugin is that
   it’s so simple.
 * Here’s hoping the author of this plugin can get to update it.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581804)
 * > Thanks to the moderators, my previous post was removed. So much for free speech–
   > Dear moderators – do you enjoy censorship – perhaps you should move to Beijing?
 * It appears to have been caught as spam. I recovered it above and don’t plan to
   move to Beijing.
 * > And not even any notification that my post was not allowed
 * Generally, no. It was caught as spam and we don’t want spammers to know they 
   were caught as spam (obviously, you weren’t spamming).
 * > Here’s hoping the author of this plugin can get to update it.
 * There is no need to update it, it works just fine and has no security vulnerabilities
   itself, but I’ll respond to some of your specific points from your earlier reply
   below.
 * > This plugin is over two years old and does not appear to have been updated,
   > therefore it has been abandoned.
 * That is true in a technical sense, though it has no bearing on the quality and
   use of a plugin.
 * > PHP code has changed a lot over the last two years, and any plugin that hasn’t
   > been updated in that time should be considered unsafe.
 * Not true. Yes, PHP has changed a lot, but that doesn’t mean the plugin is now
   automatically unsafe, that’s not how PHP (or any coding language for that matter)
   works.
 * Code is unsafe if it’s unsafe, nothing more, age plays no factor. If a security
   vulnerability is discovered in the plugin over time, then it was there to begin
   with, and either wouldn’t have been allowed by the WordPress.org Plugins Review
   team or it would have been removed immediately after the report.
 * This plugin still works, there are no security vulnerabilities in the plugin 
   itself, it is still recommended by countless WordPress security experts and installed
   by default at many hosting providers, there is no reason for it to be updated.
 *  [Iamhere](https://wordpress.org/support/users/iamhere/)
 * (@iamhere)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581805)
 * [@macmanx](https://wordpress.org/support/users/macmanx/) – thank you for your
   sincerity! Forgive my gripe – I was feeling rather persecuted!
 * Why do my posts keep getting marked as spam ? I am not doing any spamming !! 
   I hate spam!!!!
 * Thank you for your fair comments and response.
 * As I have said, I am not attacking this plugin, or the author – I appreciate 
   the time and effort they have put into this plugin – however, the fact remains
   that when a plugin (even one as good as this) is left to age, it may not do so
   gracefully. Often, the only defense a humble plugin user has is to look at how
   often the plugin is updated.
 * That being said, I am not an expert and do not claim to be – so I defer to your
   greater knowledge of the code veracity within this plugin.
 * Notwithstanding, this issue brings up the wider debate around WordPress plugins
   and a repository of code, some of which is outdated and of poor quality. I realise
   this debate probably could be moved to a different topic, and is certainly bigger
   than just this plugin, but it’s an issue that affects every user.
 * I guess it’s an open source issue – the same problems exists within Google’s 
   Play store.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/2/#post-4581806)
 * > Why do my posts keep getting marked as spam ? I am not doing any spamming !!
   > I hate spam!!!!
 * The mysteries of spam. Sadly, as spam gets more human-like, more non-spam posts
   are caught in the cross-fire.
 * > Often, the only defense a humble plugin user has is to look at how often the
   > plugin is updated.
 * At the plugin listing, check out the bottom of the sidebar, the “Compatibility”
   poll. This is one of the many reasons for why such a poll was created.
 * [http://wordpress.org/plugins/limit-login-attempts/](http://wordpress.org/plugins/limit-login-attempts/)
 * Now, the results aren’t all that helpful at the moment as WordPress 3.9.2 is 
   only a few hours old, but select WordPress 3.9.1 from the drop-down menu and 
   you’ll see that 23 people say that Limit Login Attempts 1.7.1 works with WordPress
   3.9.1 vs. 1 person who says it’s broken, and judging by such high of a margin
   that 1 person probably just doesn’t know how to use it or ran into a conflict
   with some other plugin. 🙂
 * > Notwithstanding, this issue brings up the wider debate around WordPress plugins
   > and a repository of code, some of which is outdated and of poor quality.
 * Hence the compatibility poll and ratings system. 🙂
 * > I realise this debate probably could be moved to a different topic, and is 
   > certainly bigger than just this plugin, but it’s an issue that affects every
   > user.
 * Yes, definitely, if you’d like to discuss this in broader sense, please do start
   a new topic.

Viewing 15 replies - 16 through 30 (of 38 total)

[←](https://wordpress.org/support/topic/plugin-hacked-1/?output_format=md) [1](https://wordpress.org/support/topic/plugin-hacked-1/?output_format=md)
2 [3](https://wordpress.org/support/topic/plugin-hacked-1/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/plugin-hacked-1/page/3/?output_format=md)

The topic ‘Plugin hacked’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/limit-login-attempts.svg)
 * [Limit Login Attempts](https://wordpress.org/plugins/limit-login-attempts/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/limit-login-attempts/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/limit-login-attempts/)
 * [Active Topics](https://wordpress.org/support/plugin/limit-login-attempts/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/limit-login-attempts/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/limit-login-attempts/reviews/)

## Tags

 * [brute force](https://wordpress.org/support/topic-tag/brute-force/)

 * 38 replies
 * 18 participants
 * Last reply from: [WPDogger](https://wordpress.org/support/users/wpdogger/)
 * Last activity: [11 years, 6 months ago](https://wordpress.org/support/topic/plugin-hacked-1/page/3/#post-4581818)
 * Status: not resolved