Title: Plugin was compromised
Last modified: September 13, 2016

---

# Plugin was compromised

 *  Resolved [bcmedia](https://wordpress.org/support/users/bcmedia/)
 * (@bcmedia)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/plugin-was-compromised/)
 * Hi
 * My website was recently hacked and load of spam pages appeared on my website.
   When we investigated the root cause; it appears the stop spammer plugin had been
   the cause.
 * The following files were compromised:
    ./wp-content/plugins/stop-spammer-registrations-
   plugin/includes/stop-spam-utils.php ./wp-content/plugins/stop-spammer-registrations-
   plugin/settings/kpg_ss_allowlist_settings.php ./wp-content/plugins/stop-spammer-
   registrations-plugin/settings/kpg_ss_challenge.php ./wp-content/plugins/stop-
   spammer-registrations-plugin/settings/kpg_ss_denylist_settings.php ./wp-content/
   plugins/stop-spammer-registrations-plugin/settings/kpg_ss_options.php ./wp-content/
   plugins/stop-spammer-registrations-plugin/settings/kpg_ss_summary.php ./wp-content/
   plugins/stop-spammer-registrations-plugin/settings
 * My hosting company now thinks your plugin is malware! Can you advise on how this
   might have happened?
 * Many thanks
    Craig

Viewing 8 replies - 1 through 8 (of 8 total)

 *  Plugin Contributor [Keith P. Graham](https://wordpress.org/support/users/kpgraham/)
 * (@kpgraham)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8179868)
 * I wrote the plugin and it is not malware.
 * It has been available on the WordPress repository since 2010, and has many thousands
   of users. The source code is available for all to inspect.
 * Please let me know some more specifics. What kind of malware? What program found
   the malware?
 * Keith P. Graham.
 *  Thread Starter [bcmedia](https://wordpress.org/support/users/bcmedia/)
 * (@bcmedia)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8179927)
 * Hi Keith
 * Thank you for the response – apologies I didn’t mean to be so blunt sounding (
   this is maybe the 100th email/message I’ve written today, such is modern life).
 * There was an ajax.php file in the root plus the files mentioned above which were
   compromised. When I looked through Stop Spammer I noted this as well – [https://s10.postimg.org/5do0w94jt/keith_breach.jpg](https://s10.postimg.org/5do0w94jt/keith_breach.jpg)
 * Initially no scans noticed anything. It was when I did a site: index check on
   Google I noticed a lot of spam pages such as [https://s10.postimg.org/5ri6vuyzt/image.png](https://s10.postimg.org/5ri6vuyzt/image.png)
 * I was quite perplexed when the hosting company suggested the plugin was the cause!
   But I felt it was worth highlighting incase it was an issue you may have previously
   encountered.
 * Last thing, I’ve got the compromised files if you would want to review them. 
   I’ve hopefully removed them from the live site but I’ve got archived copies.
 * I suppose the last point worth noting is that the site was updated to 4.6 about
   2 months ago.
 * Kind Regards
    Craig
 *  Plugin Contributor [Keith P. Graham](https://wordpress.org/support/users/kpgraham/)
 * (@kpgraham)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8179947)
 * The image is obviously out of place and is not normally a part of the plugin.
 * The problem now becomes how was the plugin compromised. I am concerned that the
   plugin was not chosen at random. Either there is a vulnerability on the plugin
   that I am not aware of, or it was chosen for a reason.
 * All the programs in “settings” are only visible by the sysop. The file in “includes”
   only kicks off if there is a post or login. The plugin must be very altered for
   these files to be used in malware.
 * Please keep me informed, and I will search for exploits involving the plugin.
 * Thanks,
 * Keith
 *  Thread Starter [bcmedia](https://wordpress.org/support/users/bcmedia/)
 * (@bcmedia)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8183702)
 * Hi
 * I reinstalled your plugin last night after cleaning the website. Guess what? 
   The hack has come back! I’m wondering if the wordpress plugin page is redirecting
   me to a similar site
 *  Plugin Contributor [Keith P. Graham](https://wordpress.org/support/users/kpgraham/)
 * (@kpgraham)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8184095)
 * I checked the version on the wordpress plugin repository and the beta version
   on my website. Neither is infected.
 * Your website must be infected. Something is really gone bad.
 * I am concerned that is is infecting my plugin.
 * What software is reporting the infection?
 * Keith
 *  [Kimbert](https://wordpress.org/support/users/kimbert/)
 * (@kimbert)
 * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8190770)
 * my website has been hacked too
 * was thinking of downloading this plugin because I liked it before but
    now I 
   am very to leary to do so
 * I keep on cleaning up my server but someone always come behind me
    and rechanges
   it.
 * going mad !
 *  Plugin Contributor [Keith P. Graham](https://wordpress.org/support/users/kpgraham/)
 * (@kpgraham)
 * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8191157)
 * Please delete the plugin if you are the least worried about it.
 * The version on the wordpress.org website and the version on my website are not
   hacked.
 * There are other solutions to the spam problem and you could try them.
 * Keith
 *  Thread Starter [bcmedia](https://wordpress.org/support/users/bcmedia/)
 * (@bcmedia)
 * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8192058)
 * Hi Keith
 * I don’t think your plugin was the source of the hack & after closer inspection
   it transpires the hack had a trigger which injected the DB after I cleaned it.
 * The only fix was to rebuild the website as the back ups were all compromised.
 * Thank you for your patience.
 * Craig

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Plugin was compromised’ is closed to new replies.

 * ![](https://ps.w.org/stop-spammer-registrations-plugin/assets/icon-256x256.png?
   rev=3377746)
 * [Stop Spammers Classic](https://wordpress.org/plugins/stop-spammer-registrations-plugin/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/stop-spammer-registrations-plugin/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/stop-spammer-registrations-plugin/)
 * [Active Topics](https://wordpress.org/support/plugin/stop-spammer-registrations-plugin/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/stop-spammer-registrations-plugin/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/stop-spammer-registrations-plugin/reviews/)

 * 9 replies
 * 3 participants
 * Last reply from: [Kimbert](https://wordpress.org/support/users/kimbert/)
 * Last activity: [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-was-compromised/#post-8195652)
 * Status: resolved