secure-wordpress – contains malicious scripts !

  • Resolved maitreyauk

    (@maitreyauk)


    14 years, 1 month ago

    hi there! i install your plugin in to my wordpress and in following month i have been hacked!my website has been damaged and i’ve been force to clean up everything and install my wordpress and databases again…

    well..

    i installed wordpress on my spare (local) linux computer in home just find out and check whats going on..you know like test website..
    i install everything back (plugins etc) into that (local computer) wordpress..
    then i run scanner for exploits and i find out, that your plugin have malicious code so i perfom check my websites backup which was about 1 week old and i find out that malicious code been used for hacking my website!.. everyone can see screenshoot what i made HERE ! hope so no one else get into trouble with this ”worpdress-secure” plugin..dont use it people!
    kip

Viewing 7 replies - 1 through 7 (of 7 total)

  • The base64 and eval codes *can* be used to bring in malicious code, but they are *also* used in honest useful code. For example, I bought Wishlist last year. Has the same warning that those two code I mention above are in the script?

    Why?

    Because those codes are used to compact and squeeze as much good code as possible into a script/plugin/etc.

    Got worries? Get Malzilla. This great tool can help you track down malicious intent in eval’ed code among many other things.

    https://malzilla.sourceforge.net/

    My site (converted to WP last year) was getting hit from a variety of places. I found packed code that pointed back to many non-US sources, that I hadn’t put in my site. Malzilla helped me dig into files that I would’ve had to spend a lot more time researching. It won’t fix your problems, but it will tell you, when used correctly, whether code you suspect is bad, actually is.

    Rich

    THis function is only for include performant the images on this site, thats all and is an great resosurce for include images via code. It is dont a security hole!

    Well the plugin is not claiming to completely protect your website. As the plugin Author is stating Secure WordPress is “little help” meaning that it is additional help not a complete website security solution. And the base64 code is just encoded images and nothing more. For a complete website security solution you should look into htaccess website protection.

    Hi,

    We just integrated the plugin with our WebsiteDefender “online service”, so from the plugin settings page, you can register to this service which enhances wordpress security, basically it is able to do what plugins are not able to do.

    This is a very well crafted sales pitch, nice job! – “basically it is able to do what plugins are not able to do”. Yep I see some things that WebsiteDefender does that some plugins do not do. Very nice sales wording. ?? Vaque and cnn (and probably will) be interpreted as WebsiteDefender provides website security where plugins do not. Excellent sales work!

    PS I stay away from negative or misleading sales campaigning because it usually ends up biting you in the rear. LOL Thanks.
    Ed

    Directed @ AITpro…

    Nothing is “crafty” about the sales pitch. I have installed the Secure WordPress plugin and it is working well for me.

    I personally think that just because your plugin (released a few days ago) hasn’t had the success the WebsiteDefender one has, you’re jealous. As I’m in the WordPress plugin business, I think I should let you know that you’re going about harming your competition in the worst possible way mate. If you want to harm your competition – the answer is simple – make something better!

    I will continue using the Secure WordPress plugin and will report if there are any issues with it.

    Thanks,
    Tony

    @ TonyMoore – The point I was trying to make was that WebsiteDefender would make a nice addition to my website security plugin and also this one. It is a supplemental addition not a complete website security solution so there is no competition. The way the “pitch” was phrased was vague and misleading. A clearer statement instead of the way it was phrased would have been “…basically it is able to do additional things that other plugins are not able to do.” The way it is phrased is that it is a replacement, which obviously it is not, it is a supplemental additional website security measure. Jealousy does not compute for me? I only concentrate on truth and fact and leave personal emotions or feelings out of logical, factual and truthful statements. What is the most important thing is not to mislead innocent WordPress users. The goal should be to help people and provide a service, not sell a product any way you can. And I am not saying that is what is going on here. I am just stating what I feel should be the primary and most important goal in general.

    And finally the only reason I am posting in another security plugin comments area is because I was asked directly to look at the base64 code in this plugin and then directed to this thread otherwise I would have no reason to be posting here.

    Thanks
    Ed

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘secure-wordpress – contains malicious scripts !’ is closed to new replies.