Security Alert: WpPhpMyAdmin WordPress plugin Can Expose your Site to Hacker

At ShoutMeLoud, I keep writing about various WordPress plugin and in some of the post I mentioned about phpMyadmin plugin, which used to be one useful plugin to open phpmyadmin from WordPress dashboard. Personally I used to have this plugin on couple of my blogs until today.

Update: Now you can use Adminer plugin to access PHPMyAdmin from WordPress dashboard.

Today couple of my blogs were giving some weird error and even my Antivirus Nod32 was showing HTML/iframe Trojan alert when ever I opened these two sites. When I checked the source code of the site, I can see some spam site link embedded in iFrame. It was quite clear that site was compromised and some malicious script was added by hacker.

I installed couple of security plugins and also checked my server FTP using FileZilla to check which file has been modified recently but seems like I was out of luck today and I couldn’t find anything. All the sites were hosted at Hostgator and I created a support ticket to fix this issue.

Thanks to their security team, After 1 hour, I got a reply from Hostgator confirming that my site was compromised and the errors are a result of malware injected into the index.php files. This was done through an exploit in the WordPress phpMyAdmin plugin. I also checked WordPress plugin repo and realized that plugin was removed from WordPress official plugin repo and found this article which clearly stated how this plugin is bad for any WordPress blog.

I’m sure those who have been blogging on WordPress platform from years, might have installed this plugin at some point of time and if you are one of them, kindly delete this plugin.

Also I would suggest check all installed plugins on your blog and those plugins which have been removed from WordPress plugin repo or never been updated, it’s better to remove them and find an alternative. Since it’s important that all plugin should be compatible with latest WordPress version to ensure security and safety of your WordPress blog.

Lesson learned:

  • Keep your Plugins updated
  • Keep a complete back of your WordPress blog
  • Keep your Theme+ WordPress version updated
  • Use hosting with excellent support. In my case it’s Hostgator

Also if you are some one who offers WordPress services and have used this plugin on any client site, better contact them and ask them to delete this rogue plugin. Also read following posts to ensure security of your blog:

Do let us know if you have spotted any hacked WordPress blog recently which has been compromised due to WpPhpmyadmin WordPress plugin?

Subscribe on Youtube

Article By
Harsh Agrawal is a blog scientist and a passionate blogger. He is blogging since 2008 & writes about Blogging, SEO, Make money online & tech. His blog, ShoutMeLoud receives 1 million Pageviews/month and have over 700K subscribers.


COMMENTs ( 7 )

  1. Roy C.Chukwu says

    Thank you for sharing this with us.

    I will also recommend updating to the letest version of WP as this will also help.

    Thank you.!

  2. Manendra says

    Can u suggest me one best WP plugin which helps my database secure from hackers..? As i have gone through the Security Plugins which u suggested in your posts and i feel all are important but i think installing all those will slowdown my site loading time. So can u suggest me 1 perfect plugin.

  3. John says

    That’s really a great, info. It will lots of people, who have this similar issue with the plugin. I will have a check with my developer too.

  4. Anand Kumar says

    Thanks for sharing this alert. I don’t know why you have installed such plugin? It may harm your Google ranking too..

    Stay safe and god bless You and Your Blog too.. :)

    For All alerts regarding WordPress, I rely on ShoutMeLoud!!

  5. rakesh says

    Thanks harsh for your timely alert on this plugin. I always prefer phpmyadmin instead of any plugin for taking backup of my site/blog.