This sounds like a problem with your host/server. To the best of my knowledge there are no security holes in the current versions of this plugin and I run it without any issues on quite a few sites.
A site that i’m running, has been hacked twice while using this plugin.
If you have evidence that this plugin was the cause, please E-Mail me directly and I’ll get it fixed. As I said in the last post, there are no known security holes in the plugin.
I’m not going to rifle through your plugin to find a security flaw.
The website that is running this plugin, and a few others was hack to the point that files were uploaded to the site. wp-loader was injected with encrypted php coding, as well as other files.
The second time this happened, i noticed that only one plugin needed updating and that was this one. When i attempted to run an update a notice came back saying that it could not remove the old plugin. I tried to remove the plugin via ftp and SSH access and i still cannot remove the plugin. I kept getting errors saying that i do not have the correct permissions to remove the files.
I am concerned when a plugin demands only root level permission to modify it after an install has been made.
This plugin does not require root level access to modify after it’s installed. If you uploaded the plugin via FTP, then that same FTP user should be able to remove it. If you uploaded it through WordPress, then whatever user that instance of the web server (usually Apache) was running under should be able to remove it.
It’s also running on thousands and thousands of sites, and this is the only instance I’ve ever heard of this happening. It’s much more likely that there is a problem on the server itself. Where are the sites hosted? Can you link to them?
The site is on a shared host located at dreamhost.com
Can you give me the URLs? I have some contacts that DreamHost that may be able to help us look into it, but we need to know what sites to check.
Hi, grickaby,
I took a fast look and you shouldn’t have an permissions issues deleting the files (they’re all owned by you). One thing that jumped out at me was the only folder left is ‘languages’ and it’s got permissions 777 (which is not DreamHost default, nor something I would ever advocate).
The server itself looks clean (status checked out) and I don’t see any tickets opened for that account regarding any hacks, so I can’t tell 100% if it was cleaned up.
Are you getting an error when you try to delete the files by FTP?
I’m getting via FTP and SSH that I do not have the correct permissions to delete the directory.
Here is the ftp log when trying to delete the files:
Command: DELE twitter-widget-pro-it_IT.mo
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-sv_SE.mo
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-it_IT.po
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-ar.mo
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-ar.po
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-es_ES.po
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-da_DK.mo
Response: 250 DELE command successful
Command: DELE twitter-widget-pro.pot
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-es_ES.mo
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-da_DK.po
Response: 250 DELE command successful
Command: DELE twitter-widget-pro-sv_SE.po
Response: 250 DELE command successful
Command: CWD /eighthinch.com/wp-content/plugins/twitter-widget-pro
Response: 250 CWD command successful
Command: PWD
Response: 257 “/eighthinch.com/wp-content/plugins/twitter-widget-pro” is the current directory
Command: RMD languages
Response: 250 RMD command successful
Command: CWD /eighthinch.com/wp-content/plugins
Response: 250 CWD command successful
Command: RMD twitter-widget-pro
Response: 550 twitter-widget-pro: Permission denied
Sorry for the switching of accounts here… I have a brain somewhere.
The permissions on your folders under wp-content are a little messed up and are missing the WRITE permission. They should all be 755
From your wp-content folder you can do this:
chmod 755 themes plugins
That’ll hit the top level folders, and should let WP install plugins and themes. You may also want to go into themes and plugins and reset those folders (I wouldn’t run the command recursively unless you do something like this to make sure you only change directories – http://www.accessdataservices.com/blog/recursively-chmod-directories-only/ )
If that still doesn’t work, do open a ticket.
Also! If you think you’re still having issues with being hacked, please open up a ticket and mention the history, so one of our hack experts can peel back your onion and check.
Thanks for stepping in for the assist Ipstenu. Dreamhost is really lucky to have you (and some of us plugin devs are happy about it too).
