At ShoutMeLoud, I keep writing about various WordPress plugin and in some of the post I mentioned about phpMyadmin plugin, which used to be one useful plugin to open phpmyadmin from WordPress dashboard. Personally I used to have this plugin on couple of my blogs until today.
Update: Now you can use Adminer plugin to access PHPMyAdmin from WordPress dashboard.
Today couple of my blogs were giving some weird error and even my Antivirus Nod32 was showing HTML/iframe Trojan alert when ever I opened these two sites. When I checked the source code of the site, I can see some spam site link embedded in iFrame. It was quite clear that site was compromised and some malicious script was added by hacker.
I installed couple of security plugins and also checked my server FTP using FileZilla to check which file has been modified recently but seems like I was out of luck today and I couldn’t find anything. All the sites were hosted at and I created a support ticket to fix this issue.
Thanks to their security team, After 1 hour, I got a reply from Hostgator confirming that my site was compromised and the errors are a result of malware injected into the index.php files. This was done through an exploit in the WordPress phpMyAdmin plugin. I also checked WordPress plugin repo and realized that plugin was removed from WordPress official plugin repo and found this article which clearly stated how this plugin is bad for any WordPress blog.
I’m sure those who have been blogging on WordPress platform from years, might have installed this plugin at some point of time and if you are one of them, kindly delete this plugin.
Also I would suggest check all installed plugins on your blog and those plugins which have been removed from WordPress plugin repo or never been updated, it’s better to remove them and find an alternative. Since it’s important that all plugin should be compatible with latest WordPress version to ensure security and safety of your WordPress blog.
- Keep your Plugins updated
- Keep a complete back of your WordPress blog
- Keep your Theme+ WordPress version updated
- Use hosting with excellent support. In my case it’s Hostgator
Also if you are some one who offers WordPress services and have used this plugin on any client site, better contact them and ask them to delete this rogue plugin. Also read following posts to ensure security of your blog:
- 7 essential security tips
- Change WordPress default Username to ensure better security
- 5 security related WordPress plugin
Do let us know if you have spotted any hacked WordPress blog recently which has been compromised due to WpPhpmyadmin WordPress plugin?