Title: crose13's Replies | WordPress.org

---

# crose13

  [  ](https://wordpress.org/support/users/crose13/)

 *   [Profile](https://wordpress.org/support/users/crose13/)
 *   [Topics Started](https://wordpress.org/support/users/crose13/topics/)
 *   [Replies Created](https://wordpress.org/support/users/crose13/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/crose13/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/crose13/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/crose13/engagements/)
 *   [Favorites](https://wordpress.org/support/users/crose13/favorites/)

 Search replies:

## Forum Replies Created

Viewing 7 replies - 1 through 7 (of 7 total)

 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [brend-store.ru hijacked my site via a plugin](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/)
 *  Thread Starter [crose13](https://wordpress.org/support/users/crose13/)
 * (@crose13)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/page/2/#post-2124676)
 * Thank you so much for the help. It just seems so weird that I opened the plugin
   and when I clicked to download, it opened the scareware site in the same window…
   and it was only the ONE site, not any of its subdomains or my other domains. 
   I had not installed any other new plugins whatsoever in the past few months or
   so and the theme I installed I built myself. That would leave either a hole in
   my server security, which seems unlike since only one site was affected. There
   is just a lot of big doubts about EVERY possibility, including my own thought.
   What can I do to figure out what happened and ensure it doesn’t happen again.
   Changing my login, etc. helps if that was the issue, but if it was compromised
   once it can be again. I’d like to know for sure what happened so I can be better
   educated if it happens again.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [brend-store.ru hijacked my site via a plugin](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/)
 *  Thread Starter [crose13](https://wordpress.org/support/users/crose13/)
 * (@crose13)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/page/2/#post-2124673)
 * I run security and before kmessinger said anything, I’d already read all of those
   articles. I’d just done a redesign and always clean out my whole server between
   redesigner. I am familiar with Sucuri Site Check and run it as often as I run
   Malwarebytes on my physical machine. It was checked and fine BEFORE the plugin
   install, but not after. If my server was compromised, wouldn’t it affect ALL 
   of my domains and subdomains because it only effected the one I’d just installed
   the plugin on?
 * I do understand Esmi’s position, I just didn’t appreciate being treated like 
   I’m intentionally badmouthing a plugin I’ve used before and appreciated. I also
   did not retract my statement and don’t appreciate words being put in my mouth.
   I would have loved to have had an opportunity to say how much I do love the plugin
   but the WordPress plugin page DID redirect me to a scareware site. My OWN site
   did not send me to scareware or spam. THAT plugin page did. I did my best to 
   alert the proper authorities to fix it. I know that the plugin would never intentionally
   hijack my site, but I do feel it or its source was compromised.
 * My site was perfectly fine before the plugin, and only the one part was compromised
   after. The files I found that restored my site long enough to get my hosting 
   provider to fix the rest were new files created that day and that time in my 
   WordPress plugin files in a folder for the Maintenance Mode plugin in a folder
   that had not finished downloading and my WordPress said there was an error with
   the plugin. Something doesn’t add up. Within the past month more than just me
   have reported the plugin messing up their sites and blogs. More than just me 
   have reported the plugin and even Esmi said it was “unlikely” not impossible.
   In the past month a fantastic plugin has been likely responsible for messing 
   up several sites…it may be worth paying some attention to instead of arguing 
   with already upset users.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [brend-store.ru hijacked my site via a plugin](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/)
 *  Thread Starter [crose13](https://wordpress.org/support/users/crose13/)
 * (@crose13)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/#post-2124671)
 * I went into my backend. I went to plugins. I did a search for it as I’ve used
   it several times before. I downloaded it from the official location, and it redirected
   me to a scareware site…the same one my site started redirecting to. I ran Malwarebytes
   on my computer. Nothing.
 * I checked my backend, most of the fake inserted .htaccess files giving me trouble
   were in my plugins folder in the Maintenance Mode plugin files. This all also
   ONLY affected my site I installed Maintenance Mode to and it happened the second
   I tried. All subdomains and other domains on the same sever were unaffected. 
   It was NOT my hosting provider. It was this plugin.
 * I love Maintenance Mode. I’ve used it many times. However, it was the ONLY thing
   I was trying to change and there seems to have been some other complains around
   the day I had my trouble, but the forum admins are closing all topics on the 
   matter. I just checked it again on a superfluous domain. It seems to be working
   fine now. I don’t think it was Maintenance Mode’s fault, but I do think it was
   temporarily hijacked or something of that nature.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [brend-store.ru hijacked my site via a plugin](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/)
 *  Thread Starter [crose13](https://wordpress.org/support/users/crose13/)
 * (@crose13)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/#post-2124669)
 * I posted on the forum of the plugin that was ALSO hijacked and gave the problem
   to me…
 * I was rudely told not to make such accusations and they linked to THIS support
   thread to say I have taken back my accusation and it was my server’s fault. Then
   they closed my post. Um…my server FIXED it. It was still the Maintenance Mode
   plugin that gave it to me. Not intentionally, but I believe it is infected too.
   You’d think you could find better help online eh dontbegauche?
 * I’d look into changing hosting. There are times when my hosting provider is the
   only one who can save me.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [brend-store.ru hijacked my site via a plugin](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/)
 *  Thread Starter [crose13](https://wordpress.org/support/users/crose13/)
 * (@crose13)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/#post-2124518)
 * My host thankfully removed EVERY little trace for me. I know there are WordPress
   security plugins, but I don’t know how effective they are against hijacking and
   injected files. I’m really hesitant about downloading any updates or plugins 
   with this thing infecting WordPress…
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [brend-store.ru hijacked my site via a plugin](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/)
 *  Thread Starter [crose13](https://wordpress.org/support/users/crose13/)
 * (@crose13)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/#post-2124515)
 * I contacted my host, who removed the rest I didn’t find. You’re right. All the
   articles say check .htaccess, but they inject a fake one in EVERY folder. This
   hack seems to be common but not often talked about, probably because many people
   wouldn’t notice and would assume their site is just messed up.
 * I hope plugin owners start checking their own stuff more often because others
   not noticing is how it’s spreading. Let me know if your hosting provider gives
   you any helpful hints 🙂
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [brend-store.ru hijacked my site via a plugin](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/)
 *  Thread Starter [crose13](https://wordpress.org/support/users/crose13/)
 * (@crose13)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/brend-storeru-hijacked-my-site-via-a-plugin/#post-2124456)
 * Did you TRY to download a plugin that did it? I read all of the articles from
   WordPress already and nothing helped. I didn’t want to have to restart everything,
   so I logged into my server and deleted anything that didn’t look necessary. Somewhere
   along the way, I deleted the right thing. I think it was in the Downloads folder.

Viewing 7 replies - 1 through 7 (of 7 total)