We feel that a blog post is needed to explain why one of our plugins is on the Wordfence's plugin most hacked list.
An S3Bubble plugin is listed on the most hacked plugin list in 2017. Now as you can imagine this doesn't do us any favors but we would like to set the record straight.
In 2014 we built a plugin and used a video player from code canyon called the Ultimate video player we used the full code and a file was uploaded to the svn that made the hack possible it was a upload.php file this was removed immediately no fault of the dev at Ultimate video player.
The plugin only ever had 10 active installs 2 years ago and was shut down straight away but it seems it has come back to bite us on the arse.
Our users are confusing this old plugin with our main plugin. https://s3bubble.com/forums/topic/are-you-aware-of-this-re-wordfence-plugin-alert/ which is understandable.
Our main plugin is called S3Bubble Amazon Web Services Media Streaming and you can find our full code here.
Here is the plugin link: https://en-gb.wordpress.org/plugins/s3bubble-amazon-web-services-oembed-media-streaming-support/
We contacted Wordfence about the issue and we hoestly dont know where else to go here is the full conversation.
Can you please remove our plugin from this list.
This plugin has been removed for nearly over 2 years now and we just had a user saying it is showing the March most hacked plugins list it only had 10 Active installs & we update 2 years ago.
People are now confusing this with our service. It is affecting our service please I hope you can remove this as soon as possible.
Thanks for reaching out to us. Our monthly attack report is based on real data, so those attacks are happening. It's likely that they are attacking an old version that had a vulnerability, trying to find sites running out of data software. We'll update our post to remind people of that fact.
Thanks for your response that plugin only ever had 10 active installs and hasn't been updated for over 2 years.
When you say they are attacking an old version does this mean one of the 10 people that installed it, just our users are confusing this with our main plugin?
That is odd. I took a closer look at the data and can share a couple of things. The attack requests all look very similar, trying to download the wp-config.php file from the web server. They are originating from a wide variety of IP addresses. I'm only speculating here, but it seems likely that someone added the exploit to a list that is being shared among attackers or something. I hope that helps.
Thanks for taking a look when you state this.
The attack requests all look very similar, trying to download the wp-config.php file from the web server.
Can you suggest ways to resolve this, I had a user today stating that the plugin was one 12th on your March most hacked list for this year, I had completely forgotten about that plugin, to be honest, its so old and we remove all the data only 10 installs and over 2 years old and it number 12 for your most hacked plugins this year I'm just confused.
I have spoken to WordPress and they are going to fully remove it from the repo. It must be working from very old data I would really like to resolve this.
Then radio silence nothing back...
So our hands are tied but we can assure you that our main plugin is completely safe and has no known issue and is updated regularly.