ShoutMeLoud – Shouters Who Inspire

Superlinks
≡ Menu
≡ Menu

Security Alert: WpPhpMyAdmin WordPress plugin Can Expose your Site to Hacker

TA
Security Alert: WpPhpMyAdmin WordPress plugin Can Expose your Site to Hacker

At ShoutMeLoud, I keep writing about various WordPress plugin and in some of the post I mentioned about phpMyadmin plugin, which used to be one useful plugin to open phpmyadmin from WordPress dashboard. Personally I used to have this plugin on couple of my blogs until today.

Update: Now you can use Adminer plugin to access PHPMyAdmin from WordPress dashboard.

Today couple of my blogs were giving some weird error and even my Antivirus Nod32 was showing HTML/iframe Trojan alert when ever I opened these two sites. When I checked the source code of the site, I can see some spam site link embedded in iFrame. It was quite clear that site was compromised and some malicious script was added by hacker.

I installed couple of security plugins and also checked my server FTP using FileZilla to check which file has been modified recently but seems like I was out of luck today and I couldn’t find anything. All the sites were hosted at Hostgator and I created a support ticket to fix this issue.

Thanks to their security team, After 1 hour, I got a reply from Hostgator confirming that my site was compromised and the errors are a result of malware injected into the index.php files. This was done through an exploit in the WordPress phpMyAdmin plugin. I also checked WordPress plugin repo and realized that plugin was removed from WordPress official plugin repo and found this article which clearly stated how this plugin is bad for any WordPress blog.

I’m sure those who have been blogging on WordPress platform from years, might have installed this plugin at some point of time and if you are one of them, kindly delete this plugin.

Also I would suggest check all installed plugins on your blog and those plugins which have been removed from WordPress plugin repo or never been updated, it’s better to remove them and find an alternative. Since it’s important that all plugin should be compatible with latest WordPress version to ensure security and safety of your WordPress blog.

Lesson learned:

  • Keep your Plugins updated
  • Keep a complete back of your WordPress blog
  • Keep your Theme+ WordPress version updated
  • Use hosting with excellent support. In my case it’s Hostgator

Also if you are some one who offers WordPress services and have used this plugin on any client site, better contact them and ask them to delete this rogue plugin. Also read following posts to ensure security of your blog:

Do let us know if you have spotted any hacked WordPress blog recently which has been compromised due to WpPhpmyadmin WordPress plugin?

  • Author Bio

  • Latest Post

Article by Harsh Agrawal

Harsh has written 1072 articles.

If you like This post, you can follow ShoutMeLoud on Twitter. Subscribe to ShoutMeLoud feed via RSS or EMAIL to receive instant updates.


{ 7 comments… add one }

  • Roy C.Chukwu

    Thank you for sharing this with us.

    I will also recommend updating to the letest version of WP as this will also help.

    Thank you.!

    Reply
  • Manendra

    Can u suggest me one best WP plugin which helps my database secure from hackers..? As i have gone through the Security Plugins which u suggested in your posts and i feel all are important but i think installing all those will slowdown my site loading time. So can u suggest me 1 perfect plugin.

    Reply
  • Mani

    Thanks for this info Harsh till now i used that plugin..Now removed it from my two blogs…

    Reply
  • John

    That’s really a great, info. It will lots of people, who have this similar issue with the plugin. I will have a check with my developer too.

    Reply
  • Amit

    Great tips,let me delete it from my blogs ,Thanks for pointing out this security issue.

    Reply
  • Anand Kumar

    Thanks for sharing this alert. I don’t know why you have installed such plugin? It may harm your Google ranking too..

    Stay safe and god bless You and Your Blog too.. :)

    For All alerts regarding WordPress, I rely on ShoutMeLoud!!

    Reply
  • rakesh

    Thanks harsh for your timely alert on this plugin. I always prefer phpmyadmin instead of any plugin for taking backup of my site/blog.

    Reply

Leave a Comment