Auto Upgrade Without Your Knowledge? Just Sneaky!

Plugins doens’t update without approval to that so it’s 1 of this 3 options what happened with you.
1. You update it by mistake // Which I don’t believe is the case
2. Your hosting updated you the plugin // Ask your hosting as they should keep a record id they did so.
3. Your website was hacked // The same thing that happened to several days ago.

I hade the same issue but not with “w3 total cashe”. I hade my wordpress that needed to be updated and more than one plugin that also needed to be updated but as you I didn’t update becuase I customize all the plugins to work as the website need.

But than everything was updated automatically without my knowledge and after more than a week trying to figure out what happened I arrived to the conclusion that the website was hacked using a a security bug in the timthumb version I was using.

So, what I’m doing at this moment is to re-install and re-customize everything…

If you already have a backup than you already at a good point…

Thank you for the thorough response…

1. All 4 or my websites on two totally different hosts, did not get hacked.

2. The code was edited to make it “look” like the version was up to date, therefore wordpress was NOT alerting me to update this plugin, and a supposed hacker who clicked update all, would not of had that option.

3. My ISP did not do it, because they would have at least backed it up. There is nothing.

All your ideas seem to be legitimate, but we are talking about 4 different sites.

1. I perfectly understand and it’s not about having the same host for all 4 website … please read this to understand what I ment: https://www.newswire.net/newsroom/financial/73339-wordpressbruteforce.html
2. The hacker wouldn’t really hack a website to go around looking for and update all button but would do that using a security bug for it.
3. I don’t think you ISP had anything to do with it.

I hope that is not your case and I perfectly know how frustrating is.

Having used the WordPress plug-in W3 Total Cache on several of my clients sites, I was concerned to see that there was some pretty serious security exploits. Two days ago, all of my clients who are on BlueHost experienced problems with the minification, in that it just stopped working and this caused their websites to load without any sort of style sheets. Since I also have a change tracking plug-in installed called Simple History, I went to look at what had been done lately and I saw these entries

Plugin “W3 Total Cache” activated
2 days ago by <Unknown or deleted user>
Plugin “W3 Total Cache” deactivated
2 days ago by <Unknown or deleted user>

This wasn’t me, or any other user registered for my sites. One of my ideas for this is that the plug-in author somehow pushed an update along, or maybe BlueHost did some script on all their sites. I don’t know, and I’m looking for some answers as to how this happened. Can you help me?

Bluehost just so happens to be one of the two host providers I am referring too. Justhost is the other… Also, the last access times of the directory was April 29th, two days ago. Coincidence?

I wound up doing a full restore of the /public_html folder. It’s actually still running. I also jacked up my CloudFlare security from medium to high. Their logs indicate a little more than usual activity in the last few days, but nothing indicating brute force hacking.

yup. I just got confirmation that it was Bluehosts doing/fault. This was their response:

WP Super Cache and W3TC were discovered to have remote code execution vulnerabilities. The makers of these plugins created an update a few days ago. Our admins are mass updating the 2 plugins across our servers now and anyone who had a vulnerable version of the plugin will also be getting automatically upgraded to WordPress 3.5 to prevent compatibility issues.

Interesting article about the vulnerability:
https://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html

If your site is broken, we will help you with it but this must be done thru our ticket system by our site compatibility dept. You can open a ticket by going to cpanel, help, open a ticket. please be sure you include the url of the site that is broken and the wordpress dashboard username and password that has admin rights so we can investigate this for you.

This is absolutely horse sh!t. I am fully aware of the article they are quoting, and let me quote the article… “If you’re using a third-party service, like Disqus, this won’t affect you”.

They SHOULD NOT be doing this crap. I guess Justhost is doing it too.

Thanks for following up.

At this point I guess that JustHost is doing it too…Because the one of my websites the one that I talked about earlier is hosted on JustHost… But what It bothers me most is that the first thing I did when I noticed the update is contact their support and they completely said that It had nothing to do with them and now I just discovered that it was them all the time…

@grayayer, thank you for the info…
@noisegate95, How did the restore proceed?

The restore provided by JustHost did not work as expected on one of my sites. It was missing folders in /uploads and /plugins. So when I went in to confirm everything, errors were spitting out everywhere. Missing links, missing plugins etc.

Luckily for me, I never did trust JustHost and ran my own nightly full backups using XCloner. But once again another plugin bit me in butt, and they upgraded about a month ago, and never alerted you that you needed to reconfigure. So my last backups were a month ago. The sites are mostly static, so I just restored from them and got what I needed. The manual restores were bit of a pain, having to untar, place in temp folder, copy over with permissions intact was indeed time consuming.

After the folder restores I then noticed that W3 (custom) would not work properly. This was because of the new database tables placed in the database for the new version. So I had to restore from a .sql backup as well. AND of course Justhost charges extra for restoring tables which I will not pay for, so I had to download the backup, and import using phpMyAdmin.

Deactivating W3 and reactivating it restored all the W3 directories, such as /pgcache, /min, and once that was all done, my site is back to its fast self.

I just realized that I received an upgrade notification from Justhost which is $100 more than normal. Not a good time to be messing with my sites. I wrote a blurb about this the last time they did this, if anyone was interested in a quick humorous read about how the hosts try to screw you. ??

I hope this isn’t some sort of cron they have running that goes out and checks directories. I do not want to be doing all the again.

I’ll check back in a few days with a “final thought”.

Thanks everyone!

Just as Bluehost admitted, Justhost has also taken it upon themselves to a site wide script update of W3TC without your knowledge, and without a backup of your settings.

They offered me the option to opt-out of such future upgrades, which I agreed to, but I questioned why there were no communications sent to customers regarding such script upgrades being performed. I received no reply.

Here is the email from JustHost support:

Thank you for contacting support,

You’re welcome to opt out of future upgrades, but yes, on Monday we pushed several upgrades of the W3 plugin to ensure the integrity of the servers to ensure that we can mitigate any future botnet attacks. Would you like us to opt you out of future upgrades?

Please feel free to contact us again if you have any further concerns.

[ redacted do not post other people’s contact information ]