Compromised? Anyone elses plugin bricked with adware after the last update?

  • I’ve used this plugin for years and it’s worked beautifully. I just updated it after a while and I’m so frustrated – the ‘settings’ and ‘view details’ links in the plugins page are hijacked by a parked advertising page posing as my website (the page title is my domain name), and I can no longer manage the plugin. It’s very strange, and it’s not any other plugin doing this because it’s ONLY this plugin that is affected and disabling all other plugins doesn’t change the behavior. I seem to remember this being developed by an individual before and now the “Visit Us” link on the plugin page redirects from Ironikus.com to a corporate WP Service website that has nothing to do with this plugin, and does not even list it anywhere.

    I think that the plugin got sold and they’ve binned it. I’m deactivating it because I think it’s compromised.
    EDIT: I can’t even deactivate it using the ‘Deactivate’ link – it just goes to a white page. I think this is suspicious. I was only able to deactivate it using the bulk actions menu.

    • This topic was modified 1 year, 6 months ago by KingDingbat. Reason: Updated
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Ironikus

    (@ironikus)

    Hey @kingdingbat – Thanks for the additional input.

    I’ve answered within your review, but I’d be happy if you could share some more details on what plugins you’ve currently active.

    A white screen usually indicates a fatal error within PHP, so debugging it might be necessary.

    I’m just about to release a new version, and I’ll certainly adjust the outdated links. We have a website available for our plugin, which most of our links are already using: https://wpemailencoder.com/

    And lastly: It’s not sold. ??

    Plugin Author Ironikus

    (@ironikus)

    Hey @kingdingbat – I’ve just released our new version, which also includes some adjustments regarding the protection setup we are using (especially in regards to the backend).

    This might solve the problem you’ve been experiencing during the deactivation. Feel free to let me know if that helps and otherwise just ping me.

    Thread Starter KingDingbat

    (@kingdingbat)

    Hi Ironikus,
    Thank you for your kind reply and update. I recognize now I should have posted here before I reviewed negatively, and I will give it another chance and I have changed my review. I also appreciate your willingness to help when I clearly screwed up. Your plugin is really important and was previously well made. I think the alternatives are sub-par compared to yours.

    First, I reinstalled your plugin and I see that the “visit us” link and your name now appears as the developer. It was different before and lead to “Ironikus.com” which redirects to WP-Webhooks.com which didn’t seem to have anything to do with the plugin. So it was suspicious to me. (Now I know your name, I see you’re the founder ??)

    I’m not sure how, but when I did the troubleshooting of deactivating plugins and testing, I missed the very one that was causing this problem. I can’t explain why it is doing this, but it’s very concerning.

    The plugin conflict is All In One WP Security, which seems like a very legitimate and important plugin… I don’t know why it would cause this behavior – but it’s definitely this. I’ve disabled all of my plugins, except Email Encoder and All In One WP Security and the problem disappears when I deactivate AIOS… and reappears when I reactivate it.

    Here’s what happens when it is active:

    When clicking on the plugin “Settings” link my website is used to display a “parked” page with advertising. The URL is the proper settings page URL, but it displays a parked domain page using my domain: Screenshot

    This same page appears in an iframe of the pop-up window that appears when you click the plugins “View details” link that normally loads the plugin’s wordpress.com/plugins listing.

    When viewing the source code of the parked page, I see that my hosting company IONOS is involved… the parked page comes from them, but I don’t know why it appears
    1. Only on your plugin and
    2. Only when AIOS is enabled.

    I did some further testing and it seems AIOS security settings is also causing the white screen when using the “activate” or “deactivate” links on plugins.

    I’m hoping you have some clues to what’s happening behind the scenes? If nothing else, at least I have a work around (disable AIOS) when I need to manage Email Encoder’s settings)
    I have restored the AIOS settings to default and enable them 1 by 1 until I figure out which setting is interfering and let you know which one it is.

    Thanks for your patience and tolerance of my foolishness.

    • This reply was modified 1 year, 6 months ago by KingDingbat.
    • This reply was modified 1 year, 6 months ago by KingDingbat.
    Thread Starter KingDingbat

    (@kingdingbat)

    FOUND IT.
    THis is the setting in AIOS that causes the issue:
    Under Firewall>Additional Firewall Rules:
    https://i.imgur.com/2NpWgbX.png
    Since this warns that some plugins may break with this setting, it may not be a bug or anything but maybe it will help you.

    Plugin Author Ironikus

    (@ironikus)

    Hey @kingdingbat – Thanks for the additional input.

    I’ve tried to recreate the issue by installing AIOS with the Deny bad Query strings setting activated, but the plugin page of our plugin is still visible without any issue.

    Do you see a difference when you open the settings page of our plugin from wihtin the “Settings” link inside of the plugins overview page compared to the one in the admin sidebar (Within the settings item)?

    If you have any additional details on whether you see some errors within your debug.log file, that’d be superb as well.

    Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Compromised? Anyone elses plugin bricked with adware after the last update?’ is closed to new replies.