WP-FacebookConnect plugin opens a backdoor for an exploit

Facebook Connect worked for me where other plugins failed, however it opened a back door for a hacker to manipulate my database.

Just after installing and configuring the plugin, I logged into my dashboard to find no access to my posts, pages or any other administrator functionality. After much hunting, I discovered that, somehow, my administration user’s privileges had been stripped. i solved it by doing the following:

1) Log into phpMyAdmin from your cPanel or use the phpMyadmin plugin.
2) Select the database for your WordPress site.
3) From the list to the right, scroll down and click on wp_usermeta
4) Find your admin user. It should be the very first one listed (meta value “your name”)
5) Click the edit icon (the pencil) next to the table labeled “wp_capabilities” under the meta_key column.
6) In the “meta_value” text field, delete what is there and paste in teh following:

a:1:{s:13:”administrator”;b:1;}

Click “go” and you will now have your administrator powers back.

IMMEDIATELY disable the Facebook Connect plugin. The robot that hacks your site will send its signal randomly, sometimes right after you grant yourself your powers back.

The last thing I expected was for this plugin to be causing the problem, and so naturally I went through EVERY other option possible to try and fix it, including resetting passwords, usernames, table prefixes, adding .htaccess files to wp_admin and wp_config, scanning all my files (every page, image, .css, .php and .js) for malicious code, installing dozens of security plugins and so on. Every security blog that youc an name, I read it, and I did what it said, to no avail. I then started disabling my plugins one by one. Disabling one, waiting a day to see if i got hacked again, and if I did, re-enabling it and disabling a new one.

I finally was rid of my hacker issue only after I disabled this plugin. it has been 5 days since my wordpress site has been hacked, and I can only conclude that this plugin alone opened a backdoor to my databases.

I am very sad to have to disable this plugin, for it was the only Facebook connect plugin I tried (and I tried them all) that actually allowed Facebook users to register a new account on my site. I really hope the issue is solved, but I am now too afraid to use this plugin again.

I now use Simple Facebook Connect for the “like” feature and the widgets, but it will not work as well as thsi one did.

http://wordpress.org/extend/plugins/wp-facebookconnect/