Title: Does Duplicator plugin grab Admin data for hacking??
Last modified: August 21, 2016

---

# Does Duplicator plugin grab Admin data for hacking??

 *  Resolved [JW555](https://wordpress.org/support/users/jw555/)
 * (@jw555)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/)
 * So I was recommended to use this Duplicator Plugin to migrate a site from one
   domain to another.
 * As a precaution I deactivated all plugins except Duplicator prior to making the
   backup
 * I am VERY security conscious, so I restored the site changed the Admin login 
   to something like
 * AKHJKH3 with an email of [rthgt4@mydomain.com](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/rthgt4@mydomain.com?output_format=md)(
   admin1)
 * Then once the site was migrated and working I removed the duplicator plugin, 
   changed the DB username and password, changed the admin name twice (admin2 & 
   admin3), each time logging out and deleting the previous admin account. I also
   made sure all the posts were attributed to an editor login and that a nickname
   was used that was not the same as any login, only then did I reactivate the plugins.
 * So admin1 was ONLY used for one purpose, the migration, it was active for less
   than 20 minutes, yet recently 2 things have started to happen,
 * 1. I am getting spam sent to [rthgt4@mydomain.com](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/rthgt4@mydomain.com?output_format=md)
   which is not a problem as I have disabled with a bounce.
 * 2. Wordfence has reported an attempt to login to the site using the AKHJKH3 login.
   It did not succeed because the account was deleted within minutes of the migration
   and Wordfence automatically blocked the IP for accounts the do not exist.
 * There have been no attempts on Admin2 or Admin3 or the editor login
 * The site has been scanned for malware and none was found, so the only conclusion
   I can come to is that the Duplicator plugin sent the AKHJKH3 login to some remote
   site or stored them in a file on the site somewhere to be collected later.
 * None of the plugins were active during the migration and there is no malware 
   on the site, I think it is highly unlikely that some remote code was activated
   in the 20 minute window the admin1 account was active.
 * I have seen a few suggestions online when I search for duplicator plugin hack,
   nothing definitive.
 * So has anyone else had their site hacked after using the Duplicator plugin?
 * [https://wordpress.org/plugins/duplicator/](https://wordpress.org/plugins/duplicator/)

Viewing 7 replies - 1 through 7 (of 7 total)

 *  [Cory Lamle](https://wordpress.org/support/users/corylamleorg/)
 * (@corylamleorg)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/#post-5154019)
 * Hey JW555,
 * You can rest assured that their is no secret code that is sending credentials
   to a remote location. The [entire code-case](http://plugins.svn.wordpress.org/duplicator/tags/0.5.6/)
   base is completely GPL. Meaning the entire world can look at it and evaluate 
   it from end to end. If an author tried to seek in some type of remote code then
   the plugin would have been removed years ago especially in a public repository
   as large as WordPress.
 * As plugin authors we actually get [3rd party audits](https://www.htbridge.com/advisory/HTB23162)
   from other companies that help to alert us to any vulnerabilities in the code.
   If the code is found to have issues then it will be removed from the plugin repository
   until the issue is resolved. Their have been security patches submitted to the
   plugin by 3rd party auditors in the past and they have been addressed and fixed
   shortly after I received them. As it is with any software the plugin will probably
   receive notices in the future as well.
 * While 20 minutes is a short amount of time it is a window any hacker could snoop
   out your data. I assume that your entire process was done over SSL since your
   very security conscious. Even that being the case if your on a shared host or
   even VPN a hacker has many paths into your system if they really want, especially
   on shared hosts. I understand there happens to be coincidence that you just used
   the plugin, but any type of behavior your mentioning would never come from the
   original code base.
 * I would recommend that you work with the server administrator to see what systems
   they have in-place to monitor http easy dropping scenarios such and man in the
   middle attacks and to make sure they have all the necessary updates to some of
   the latest attacks like [heartbleed](http://en.wikipedia.org/wiki/Heartbleed).
 * I personally have had similar situations with [Better WordPress security](https://wordpress.org/plugins/better-wp-security/).
   Basically less than one day after deploying a new site for a client and setting
   up a new admin account I was also getting brute force login attacks to the account.
   Actually it was within about 3 hours…
 * Hope that helps to alleviate any fear at least from the source code side of things…
 *  Thread Starter [JW555](https://wordpress.org/support/users/jw555/)
 * (@jw555)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/#post-5154090)
 * I am glad to hear that your code is GPL, that link is to a bunch of folders so
   far all I can find is empty ones. Do you have a link for the source code as a
   whole? Do you use Github or Sourceforge?
 * It was not used on a shared account and the user account was unique for this 
   installation. I always isolate users and sites in this way.
 * It is extremely unlikely as I had the site hidden from Google until it was ready
   to go live with the 3rd Admin.
 * I have been using this ISP for 8 years, they have very high security, never had
   any security issues.
 * A bit lame to blame heartbleed or Better WordPress Security, hackers target people
   who can get them a payback, no some pathetic dev site.
 * “many paths into your system” Mant attempted paths but none that will work, as
   I said, there was a 20 minute window and yours was the only plugin active.
 * Looking elsewhere I have seen some saying
 *     ```
       More malware alerts on Duplicator from Wordfence!
   
           This file may contain malicious executable code
           Filename: wp-content/plugins/duplicator/files/installer.rescue.php
           File type: Not a core, theme or plugin file.
           This file is a PHP executable file and contains a line 1074 characters long without spaces that may be encoded data along with functions that may be used to execute that code. If you know about this file you can choose to ignore it to exclude it from future scans.
   
       and a similar one re: length of a line of code!"
       ```
   
 * wordpress.org/support/topic/duplicator-plugin-contains-malware?replies=3
 * This is another one
 *     ```
       On 6-30-11
   
       I used a plugin called Duplicator to move the website http://www.itmentor.net to http://www.ruddytrade.com
   
       As a result, I had to create a new database with password
       My concern is that when the site was duplicated, security may have been comprised.
   
       Itmentor.net has a folder on the server called wp-snapshots
       This contains a zip file of the entire site
   
       on ruddytrade.com I removed the wp-snapshots folder as their were two files inside
   
       network folder
       and a zip file titled 20110630_ruddytrade.zip
   
       The index.php inside the network folder has script from http://www.dynamicdrive.com that appears to send login information to two email addresses.
       ```
   
 * [http://wordpress.org/support/topic/file-permissions-ftp-user-issues?replies=7](http://wordpress.org/support/topic/file-permissions-ftp-user-issues?replies=7)
 * I have now read the post below that says that Duplicator does not restore folder
   permissions, that seems pretty serious as it leaves the site vulnerable. To expect
   users to go through the hundreds of folders and change the permissions is nonsense.
   First they would not know what they should be so they could either prevent things
   from working or leave the site exposed.
 * is this failure to replicate permission still the case with Duplicator?
 * [http://wordpress.org/support/topic/plugin-duplicator-permission-rights-not-the-same?replies=8](http://wordpress.org/support/topic/plugin-duplicator-permission-rights-not-the-same?replies=8)
 * Glad to see that you at least fixed the error below, but rather than pointing
   the finger at others might you not have first asked whether I might have used
   this vulnerable version of the plugin?
 * [https://www.htbridge.com/advisory/HTB23162](https://www.htbridge.com/advisory/HTB23162)
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/#post-5154091)
 * That’s a lot to absorb but this part leaped out at me.
 * > Glad to see that you at least fixed the error below, but rather than pointing
   > the finger at others might you not have first asked whether I might have used
   > this vulnerable version of the plugin?
 * You should always be running the latest version of code for WordPress and plugins.
   If you’re not then you’ll need to take responsibility for that and upgrade right
   now.
 * Regarding the rest: this is a free plugin being supported (also for free) by 
   the author on his own time. If you review your post above, would you be inclined
   to provide support for this topic?
 * Cory’s reply was well written and sometimes security plugins do cause problems
   too. That’s not blaming the security plugins but you need to evaluate the code
   that the security plugin is complaining about.
 * > Do you have a link for the source code as a whole?
 * You can do that via this link.
 * [https://plugins.trac.wordpress.org/browser/duplicator/](https://plugins.trac.wordpress.org/browser/duplicator/)
 * All code hosted in the WordPress repository is available and you can always download
   the plugin and examine the code more directly.
 * [http://downloads.wordpress.org/plugin/duplicator.0.5.6.zip](http://downloads.wordpress.org/plugin/duplicator.0.5.6.zip)
 * >  I have now read the post below that says that Duplicator does not restore 
   > folder permissions, that seems pretty serious as it leaves the site vulnerable.
 * Have you been able to confirm or deny this experience yourself with the current
   version of the plugin? These support topics are meant to be focused on your problem
   and not collect topics from others.
 * The reason I say that is it’s not fair to ask authors to support your problem
   as well as expect them to reply here for all of those other topics.
 *  [Cory Lamle](https://wordpress.org/support/users/corylamleorg/)
 * (@corylamleorg)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/#post-5154107)
 * Hi [@jw555](https://wordpress.org/support/users/jw555/)
 * I apologize if you got the impression that I’m “trying to point fingers”. The
   point I’m trying to make is that with security there can be many things at play,
   even when you used SSL to performed this migration, hence the reference to heart
   bleed.
 * I’m not saying that heartbleed “was” the problem but major issues like that left
   unattended can be. I have no idea about your host, I was simply trying to provide
   open ideas. Also your quote:
 * >  hackers target people who can get them a payback, not some pathetic dev site.
 * That is simply not true. I have worked in this industry for over 20 years and
   seen all kinds of “dev sites” hacked including my own, even on what I thought
   was a secure environment. Some of the automated scripts that hackers have today
   are quite lethal and to think that they only target certain systems is exactly
   what they want you to think. Certainly they know that credentials on a dev site
   can be used to gain access to other systems as many users just reuse them…
 * In reference to the Better Security Plugin, I was not placing any blame on that
   plugin, I use the plugin regularly and highly recommend it. I was simply saying
   that its notification system was sending me brute force login attempts very shortly
   after I had performed the exact scenario you had performed. Simply put, what 
   you saw is not always uncommon…
 * > I am glad to hear that your code is GPL, that link is to a bunch of folders
   > so far all I can find is empty ones.
 * All plugins in the WordPress repository are required to be GPL. Jan sent you 
   another link if you can’t see the ones I sent (thanks Jan). The code is also 
   on [GitHub repository](https://github.com/lifeinthegrid/duplicator) as well.
 * In reference to the Malware see the [FAQ](http://lifeinthegrid.com/duplicator-faq)
   for this question “A scanner says that a security issue/malware/threat was detected
   is this valid?” it should address that issue…
 * As far as the issue with the database script being accessed. That is a possibility
   and is why users should follow all the steps at the end of the installer to make
   sure all installer files are removed.
 * Your comment on permissions. The plugin does attempt to set permissions based
   on [WordPress recommendations](http://codex.wordpress.org/Changing_File_Permissions)
   however this is not always possible because the process that PHP runs under may
   not have access to certain [PHP file functions](http://php.net/manual/en/ref.filesystem.php)
   based the servers configuration. Therefore the attempt to set those permissions
   may not get made if the system doesn’t allow it.
 * The plugin does attempt to secure many aspect of the site that we currently are
   aware of. However users who are using a tool such as this should be aware that
   they may need to double check there setups as they should with any fresh WordPress
   install. This has been stated on the plugin description page and throughout the
   plugin with various notices and warnings. This is an admin tool and requires 
   users to have basic knowledge on how to update files recursively if they have
   to do it manually.
 * As Jan points out we are developers providing allot of free time and hard work
   to provide the community with free tools. These plugins are not perfect and will
   have issues. This plugin still even has a beta label to show end users that there
   are many items we are trying to get right…
 * While we do our best to improve these plugins and patch issues we can’t make 
   any guarantees that they will work with out issues in your environment. I would
   suggest if your looking for a complete solution that has corporate backing, larger
   budgets and teams to work on the software around the clock then visit [Backup Buddy](http://ithemes.com/purchase/backupbuddy/)
   or a similar commercial product, this way you don’t have to waste your time trying
   to find all the issues wrong with this one. I understand that you feel the plugin
   has somehow compromised your system, however just be open to the fact that many
   WordPress plugins are continually being attacked for exploits on a daily basis
   and there are many possibilities when it comes to a system getting compromised.
 * Thanks…
 *  Thread Starter [JW555](https://wordpress.org/support/users/jw555/)
 * (@jw555)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/#post-5154115)
 * Well thanks for the comprensive reply, the site was duplicated at the time when
   your plugin was vulnerable, it only recently started spamming and hacking, hence
   my ticket.
 * The one thing that you failed to mention in your original reply was that there
   was a time last year when you had a vulnerable version.
 * If you had just said “when was this because we had a security issue with the 
   plugin last year that we promptly fixed” I might have just said “Right, good 
   to know”.
 * Trying to blame just about everyone else just confuses the matter.
 *  Thread Starter [JW555](https://wordpress.org/support/users/jw555/)
 * (@jw555)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/#post-5154116)
 * Thanks
 *  [Cory Lamle](https://wordpress.org/support/users/corylamleorg/)
 * (@corylamleorg)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/#post-5154119)
 * Fair enough… I apologize for not asking! Will make better note to do that in 
   the future.
 * Cheers~

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Does Duplicator plugin grab Admin data for hacking??’ is closed to new
replies.

 * ![](https://ps.w.org/duplicator/assets/icon-256x256.png?rev=2906985)
 * [Duplicator - Backups & Migration Plugin - Cloud Backups, Scheduled Backups, & More](https://wordpress.org/plugins/duplicator/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/duplicator/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/duplicator/)
 * [Active Topics](https://wordpress.org/support/plugin/duplicator/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/duplicator/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/duplicator/reviews/)

 * 7 replies
 * 3 participants
 * Last reply from: [Cory Lamle](https://wordpress.org/support/users/corylamleorg/)
 * Last activity: [11 years, 10 months ago](https://wordpress.org/support/topic/does-duplicator-plugin-grab-admin-data-for-hacking/#post-5154119)
 * Status: resolved