Title: Plugin was hacked
Last modified: March 30, 2018

---

# Plugin was hacked

 *  Resolved [twellibaum](https://wordpress.org/support/users/twellibaum/)
 * (@twellibaum)
 * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-hacked-2/)
 * Shortly after installing this plugin, our site was hacked… [Lack of security 
   measures on our part, for sure, but thought I might warn others here that hackers
   might target this plugin]
 * Wordfence:
    Filename: wp-content/plugins/google-analytics-for-wordpress/includes/
   admin/tracking.php File Type: Plugin Details: This file appears to be installed
   or modified by a hacker to perform malicious activity. If you know about this
   file you can choose to ignore it to exclude it from future scans. The text we
   found in this file that matches a known malicious file is: ${“\x47\x4c\x4fB\x41\
   x4c\x53”}. The infection type is: A backdoor known as kidslug.
    -  This topic was modified 8 years, 2 months ago by [twellibaum](https://wordpress.org/support/users/twellibaum/).
    -  This topic was modified 8 years, 2 months ago by [twellibaum](https://wordpress.org/support/users/twellibaum/).

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Plugin Author [chriscct7](https://wordpress.org/support/users/chriscct7/)
 * (@chriscct7)
 * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-hacked-2/#post-10130645)
 * Hi there,
    The kidslug backdoor is mostly utilized by a series of automated malware
   attack platforms. What they do is target installs of WordPress with weak passwords
   or with out of date copies of specific types of plugins, particularly ones like
   Revslider. After gaining access through an existing security bug, they implant
   the code above to help out put the php superglobal $globals. For them they’d 
   want to put it on a frontend file and our tracking file would be an easy place
   to do that because it outputs on the frontend
 * In this case, MonsterInsights itself was never hacked, they just used the plugin
   editor system built into WordPress. On the contrary, due to it’s popularity and
   use in many high traffic (Fortune 500 sites) MonsterInsights regularly undergoes
   complete security audits both internal and external.
 * We recommend websites use a WAF like Sucuri (they can also help clean up and 
   investigate this type of thing) that can block a lot of the automated WordPress
   attacks automatically, and to enforce strong passwords for WordPress accounts.
 * -Chris
 *  Thread Starter [twellibaum](https://wordpress.org/support/users/twellibaum/)
 * (@twellibaum)
 * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-hacked-2/#post-10130656)
 * Thanks for the quick response. I like your plugin, and will reinstall it once
   our site is cleaned and secured.
 *  Plugin Author [chriscct7](https://wordpress.org/support/users/chriscct7/)
 * (@chriscct7)
 * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-hacked-2/#post-10130664)
 * Not a problem!
 * If you’d like a checklist we recommend to have something to help follow, our 
   company also runs WPBeginner and we maintain a comprehensive checklist of essential
   tasks to perform to keep your site secure that we update every few months: [http://www.wpbeginner.com/wordpress-security/](http://www.wpbeginner.com/wordpress-security/)
 * -Chris
    -  This reply was modified 8 years, 2 months ago by [chriscct7](https://wordpress.org/support/users/chriscct7/).
 *  Plugin Author [chriscct7](https://wordpress.org/support/users/chriscct7/)
 * (@chriscct7)
 * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-hacked-2/#post-10130665)
 * – wp.org double posted the above reply –
    -  This reply was modified 8 years, 2 months ago by [chriscct7](https://wordpress.org/support/users/chriscct7/).
 *  [wiredafrican](https://wordpress.org/support/users/wiredafrican/)
 * (@wiredafrican)
 * [8 years ago](https://wordpress.org/support/topic/plugin-was-hacked-2/#post-10352883)
 * Hello Chriscct7 and twellibaum
 * Have you guys found a way to stop them using the plugin editor system built into
   WordPress?
    We are also being plagued by this $globals hack with kidslug and 
   another one that Wordfence picks up (can’t remember what the other is called)
 * Would luuuuuve to stop these guys!
 * Thanks.
 *  Plugin Author [chriscct7](https://wordpress.org/support/users/chriscct7/)
 * (@chriscct7)
 * [8 years ago](https://wordpress.org/support/topic/plugin-was-hacked-2/#post-10353361)
 * You can disable those editors [http://www.wpbeginner.com/wp-tutorials/how-to-disable-theme-and-plugin-editors-from-wordpress-admin-panel/](http://www.wpbeginner.com/wp-tutorials/how-to-disable-theme-and-plugin-editors-from-wordpress-admin-panel/)
 *  [goatherd999](https://wordpress.org/support/users/goatherd999/)
 * (@goatherd999)
 * [7 years, 12 months ago](https://wordpress.org/support/topic/plugin-was-hacked-2/#post-10394979)
 * I was hacked yesterday and MonsterInsights was installed and I then got this 
   message from WP
    Warnings:
 * * The Plugin “Google Analytics for WordPress by MonsterInsights” needs an upgrade(
   6.2.6 -> 7.0.6).
 * [https://wordpress.org/plugins/google-analytics-for-wordpress/#developers](https://wordpress.org/plugins/google-analytics-for-wordpress/#developers)
 * !!!! Also two other files installed xxx.php and db.php
    So be warned………….
 * BTW I went to apply your code for wp-config and it was already there………. so obviously
   doesn’t work.
    -  This reply was modified 7 years, 12 months ago by [goatherd999](https://wordpress.org/support/users/goatherd999/).

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Plugin was hacked’ is closed to new replies.

 * ![](https://ps.w.org/google-analytics-for-wordpress/assets/icon.svg?rev=2976619)
 * [MonsterInsights - Google Analytics Dashboard for WordPress (Website Stats Made Easy)](https://wordpress.org/plugins/google-analytics-for-wordpress/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/google-analytics-for-wordpress/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/google-analytics-for-wordpress/)
 * [Active Topics](https://wordpress.org/support/plugin/google-analytics-for-wordpress/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/google-analytics-for-wordpress/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/google-analytics-for-wordpress/reviews/)

## Tags

 * [MonsterInsights](https://wordpress.org/support/topic-tag/monsterinsights/)

 * 7 replies
 * 4 participants
 * Last reply from: [goatherd999](https://wordpress.org/support/users/goatherd999/)
 * Last activity: [7 years, 12 months ago](https://wordpress.org/support/topic/plugin-was-hacked-2/#post-10394979)
 * Status: resolved