20 May

How To Respond If Your Web Host Says Your Website Was Hacked Through A WordPress Plugin

One of the things we do to make sure we provide the best data on new vulnerabilities in WordPress plugins is to monitor the wordpress.org support forum for threads discussing those. In doing that one of the things we have been seeing a lot of is people reporting that plugins have vulnerabilities based on claims made by web hosts. Most of those threads don’t end having any impact and some end up being very unproductive.

If your web host is telling you that you were hacked through a WordPress plugin here are things you should know and do:

There Is A Good Chance Your Web Host is Wrong

In dealing with lots of hacked websites over the years we have found that web hosts are often wrong about the source of the hacking. This seems to be largely due to them making claims as to the source without doing any checking at all. For example, we have seen instances were they claimed the website was hacked due to outdated software, even when the software on the website has been up to date for some time. Another frequent issue we see is web hosts will claim that the hack was caused by whatever software is located in the directory they find a malicious file in, like in this case we saw recently in the support forum:

Anyway… in contacting tech support they provided this information:

“had a file at /public_html/wpnew/wp-content/plugins/word-stats/xml38.php

That seemed to be causing that redirect issue. I’ve removed this file. It was added at 2016-04-18 04:57

Likely, this is a vulnerability in the word-stat plugin.”

The problem with this is that hackers often place their malicious files in random locations, so there isn’t a strong correlation between the location and the source. (In some cases it is a good indication if say the plugin is known to have a file upload vulnerability in the installed version and you find the malicious file in the directory the plugin places uploaded files.)

Ask For Evidence

If plugin is actually the source, then your web host should be able to provide evidence of that. Normally that would be log files entries showing the exploitation happening. That information will also be important for the plugin developer to determine what is going wrong and how it can be fixed.

Report The Vulnerability the Right Way

You should either contact the developer directly if possible (instead of through the forum) or you can report the issue to the Plugin Directory and they will get in touch with the developer for you. If you are not sure if it is a vulnerability you can always get in touch with and we will double check it for you.