Plugin developer who vents his anger by hacking into wordpress sites

I’m posting this here because I’d like some feedback, and this subject isn’t allowed anywhere on the WP Forum.

After a lot of searching, I finally paid for a plugin that I really needed. I tried all the free versions, without success. The professional version looked well put together. It was expensive --$36 – but it would have solved a lot of issues, so I paid the money. It is a well written plugin, but I did have a suggestion for the developer, so I went to the plugin homepage, and found that there is no way to get in touch with him unless you pay an additional almost $40 for six months of support. Every possible email link just dumps you back to the page where you have to pay for support. So even if you have a very basic question about installation, you’re stuck unless you shell out more money. There is online documentation, but it is less than complete and often unclear. The developer is in Germany, and the site is available both in German and English. I speak German fluently, and read both versions, but there was no additional or clearer help on the German side of things.

Tthis all strikes me as misleading advertising on the part of the developer. It would be better business practice to charge more for the plugin and include some kind of basic service. The way it works now, you pay your money and the door shuts in your face.

So at this point I went onto the WP site to write a review for the plugin. I said there what I’ve said here – well written, works the way its supposed to, too little documentation, and a really questionable support policy that verges on the unethical. The deveoper flagged my review, but the mod left a comment saying that the review was plain spoken, but not abusive.

This is where the fun begins

Within the hour, my WP installation had been hacked. The plugin in question, and all files and the mysql dbs associated with the plugin, disappeared. About three days worth of writing, images, etc., just gone. I did have a backup, and I retored. Within five hours the exact same thing happened. I called my hosting service – bluehost.com – and they helped me get things retored. They also strongly suggested SiteLock and other security measures. I reinstalled WP, and was in the process of setting up SiteLock when my whole directory was wiped clean. Everything, not just the WP installation, gone. Before you asked: I’m on a mac, but I scanned for malware and viruses anyway, and came up clean.

The support person at bluehost.com was pretty impressed by this hacker’s determination to teach me a lesson.

All the rest of the directory restored without a problem, but the WP installation is proving more difficult. Trying to start over from scratch and do a clean install, I ran into errors that the bluehost people are looking at now. It may be a long time before I get this all working again, and at this point I think I lhave ost those three days of work for good.

I went back to my WP Forum review of the plugin and added some information about what had happened. The mod deleted everything. Because it’s a plugin you pay for, you can’t discuss it anywhere on that forum. You can’t warn people about the business practices, you can’t ask if anyone else has had similar experiences. I would have liked to send the mod a private message with information from bluehost which makes it clear that the plugin developer in question is the person who did all this with what the bluehost support person said was almost a hundred percent certainty. But you can’t private message mods, or at least, I can’t see a way to do it.

The internet is still very much the wild west, and I know there’s nothing I can do to the developer. He’s in Germany. There’s no agency that will go after him, so he’s free to hack away at me because I dared to point out a problem with his business practices. This is actually something that impacts on my living, as social marketing is crucial to publishing fiction these days. But it seems there should be some kind of central database where people could leave reviews. Now I’ve written down the whole story. Maybe I’ll be able to get back to work and start reconstructing the mess I paid $36 for. The plugin, because you will be wondering, is Encyclopedia Pro.

Wow! I’d rather spend an hour of my own time writing my own plugin than pay that much for something like that to happen.

So you’re saying that after you restored your site using backups, with that plugin removed, you’re site was again soon non-functional?

Unfortunately I don’t have the skills to write even a simple plugin on my own, and in fact I don’t mind paying somebody who does good work. But this is clearly someone who is willing to go to great lengths for revenge. And yes, the site is still non functional. They haven’t figured out why, yet. I find it disturbing that there’s no way to warn people about this kind of behavior.

Change your FTP passwords ASAP just in-case the person has knowledge of them. If that plugin was using a separate MySQL user, from the main Wordpress install, disable or delete that MySQL user that the plugin was using. If you wasn’t getting any other traffic from the person’s IP address, maybe ask your host if they could deny access to your site from that person’s IP address

Thank you, SpacePhoenix, for the good suggestions. All passwords – ftp, mysql, wordpress, cpanel – were changed after the second hacking incident. The mysql databases were deleted entirely.

Maybe I should change the passwords again, just to be sure.

I just don’t understand someone who would go to the time and trouble to do all this.

Have you examined your logs to see how you are being attacked and where the IP address of the attacker is coming from? If you are being hacked by the plugin developer, some sort of back door should be evident in the code, or something clearly obfuscated to make it difficult to determine what is happening. Did you look at the PHP code of the plugin? Did you try reinstalling without the plugin and see if you still get hacked?

You should check if any of the code looks weird in the plugin like some obscured code or some code which somehow has some link to some IP / developers website. If the developer has really done that, all people having paid plugins should be really a worried lot, because paid plugins come directly from the developer rather than via wordpress repository. What this means is there are no checks of any sort for these plugins. A developer could create a wonderful free plugin and put it on the wordpress repository. Then for some basic required features they could say you need to purchase a plugin. That could even contain malicious code which stays dormant but incase you face any issue and raise a complaint the developer could remotely modify the site. This also means that its a bug / security loop hole being made available via wordpress. This means even wordpress developers should take note of this issue because if a plugin developer is able to wipe out an entire website remotely (not just the plugin folder) but other folders of wordpress installation this is a huge security loophole left out by wordpress developers. Thank you very much for bringing out this issue and hopefully someone will take note of it.

Personally as soon as I noticed the guy provides no direct method of contact, I would not have purchased the plugin in the first place. Seriously, how do you ask him pre-sales questions, there’s not even a contact form? As for the support issue, TBH that’s very clear on his site - the standard license is just for a year of updates, no support. Yes that’s a rubbish policy but it’s not hidden so I wouldn’t agree with your claim that it’s ‘unethical’; if he choses to provide no free support that’s his decision (as long as he states this before purchasing, which he does).

FYI, if you do need to contact him, he does have a contact email in his whois records plus a mailing address on his site. Regarding the hacking, I would be very careful about accusing the developer of any involvement until you have solid proof.