Don’t Use HideMyWP

Quick look: HideMyWp changes the URLs (“Change WordPress permalinks” and the URLs for plugins and administrative pages). Whoop-tee-doo.

Hackers getting in from server-level security breaches don’t use a URL, they are already inside the security system.

Hackers from bad plugins know the internal location they are run from (a necessary PHP function), and easily get the location of all other plugins, with a single database query; they’re already inside the security system.

HideMyWP thinks that’s “good security”. The site says, “This means you can install unsafe plugins without worry about security.” — they are lying or incompetent. An unsafe plugin can change the content of your post/pages/comments, ruin your database, install malware, collect your user names and passwords, send out emails, etc.

The “Better WP Security” plugin has a “Hide WordPress Backend” feature, as a tiny part of the security they provide, and consider it optional.

I refuse to install unknown “security” plugins like HideMyWp.

Below is what the free check from a good site checking and malware removal company found about their site:

Ah, they have /wp-login.php?hide_my_wp=1234 instead of /wp-login.php, they have /wp-admin/, themes in /template/main.css, some kind of program modules in
/modules/0f6a208e/shortcodes.php, Ooooh I know where jQuery is /lib/js/jquery/jquery.js, and their media goes in /file/2010/08/test-image-landscape.jpg. That’s plenty for hackers to start probing.

Web Server Details
Scan for: http://wpwave.com
Hostname: wpwave.com
IP address: 192.241.141.239

System Details:
Running on: Apache/2.2.22
System info: (Ubuntu)
Powered by: PHP/5.4.6-1ubuntu1.3

List of Links Found
Demo
http://hide-my-wp.wpwave.com/page/blog http://hide-my-wp.wpwave.com/page/front-page http://hide-my-wp.wpwave.com/page/about http://hide-my-wp.wpwave.com/page/about/clearing-floats http://hide-my-wp.wpwave.com/page/about/page-with-comments-disabled http://hide-my-wp.wpwave.com/page/about/page-with-comments http://hide-my-wp.wpwave.com/page/level-1 http://hide-my-wp.wpwave.com/page/level-1/level-2 http://hide-my-wp.wpwave.com/page/level-1/level-2a http://hide-my-wp.wpwave.com/page/level-1/level-2b http://hide-my-wp.wpwave.com/page/level-1/level-2/level-3 http://hide-my-wp.wpwave.com/page/level-1/level-2/level-3a http://hide-my-wp.wpwave.com/page/level-1/level-2/level-3b http://hide-my-wp.wpwave.com/page/lorem-ipsum http://hide-my-wp.wpwave.com/page/page-a http://hide-my-wp.wpwave.com/page/page-b http://hide-my-wp.wpwave.com/page/page-c http://hide-my-wp.wpwave.com/wp-login.php http://hide-my-wp.wpwave.com/wp-login.php?hide_my_wp=1234 http://hide-my-wp.wpwave.com/wp-admin/ http://hide-my-wp.wpwave.com/template/main.css http://hide-my-wp.wpwave.com/modules/0f6a208e/shortcodes.css http://hide-my-wp.wpwave.com/modules/0f6a208e/shortcodes.php http://hide-my-wp.wpwave.com/lib/js/jquery/jquery.js http://hide-my-wp.wpwave.com/file/2010/08/test-image-landscape.jpg http://hide-my-wp.wpwave.com/ajax.php
Demo
Demo
Demo
Hello world!
http://hide-my-wp.wpwave.com/?author=1 http://hide-my-wp.wpwave.com/?s=hide http://hide-my-wp.wpwave.com/admin http://hide-my-wp.wpwave.com/author/admin http://hide-my-wp.wpwave.com/index.xml http://hide-my-wp.wpwave.com/cat/aciform/index.xml http://hide-my-wp.wpwave.com/feed http://hide-my-wp.wpwave.com/readme.html http://hide-my-wp.wpwave.com/license.txt http://hide-my-wp.wpwave.com/2012/09/ http://hide-my-wp.wpwave.com/?m=201209 http://hide-my-wp.wpwave.com/page/nobody-can-ever-know-you-use-wordpress/attachment/04_import_export http://hide-my-wp.wpwave.com/page/nobody-can-ever-know-you-use-wordpress/attachment/03_general-2 http://hide-my-wp.wpwave.com/page/nobody-can-ever-know-you-use-wordpress/attachment/02_permalink http://hide-my-wp.wpwave.com/uncategorized/hello-world http://hide-my-wp.wpwave.com/cat-a/readability-test http://hide-my-wp.wpwave.com/aciform/layout-test http://hide-my-wp.wpwave.com/uncategorized/images-test http://hide-my-wp.wpwave.com/uncategorized/post-format-test-gallery http://hide-my-wp.wpwave.com/uncategorized/comment-test http://hide-my-wp.wpwave.com/2012/09 http://hide-my-wp.wpwave.com/2008/09 http://hide-my-wp.wpwave.com/2008/06 http://hide-my-wp.wpwave.com/2008/05 http://hide-my-wp.wpwave.com/2008/04 http://hide-my-wp.wpwave.com/2008/03 http://hide-my-wp.wpwave.com/cat/aciform http://hide-my-wp.wpwave.com/cat/antiquarianism http://hide-my-wp.wpwave.com/cat/arrangement http://hide-my-wp.wpwave.com/cat/asmodeus http://hide-my-wp.wpwave.com/cat/broder http://hide-my-wp.wpwave.com/cat/buying http://hide-my-wp.wpwave.com/cat/cat-a http://hide-my-wp.wpwave.com/cat/cat-b http://hide-my-wp.wpwave.com/cat/cat-c http://hide-my-wp.wpwave.com/cat/championship http://hide-my-wp.wpwave.com/cat/chastening http://hide-my-wp.wpwave.com/cat/clerkship http://hide-my-wp.wpwave.com/cat/disinclination http://hide-my-wp.wpwave.com/cat/disinfection http://hide-my-wp.wpwave.com/cat/dispatch http://hide-my-wp.wpwave.com/cat/echappee http://hide-my-wp.wpwave.com/cat/enphagy http://hide-my-wp.wpwave.com/cat/equipollent http://hide-my-wp.wpwave.com/cat/fatuity http://hide-my-wp.wpwave.com/cat/gaberlunzie http://hide-my-wp.wpwave.com/cat/illtempered http://hide-my-wp.wpwave.com/cat/insubordination http://hide-my-wp.wpwave.com/cat/lender http://hide-my-wp.wpwave.com/cat/monosyllable http://hide-my-wp.wpwave.com/cat/packthread http://hide-my-wp.wpwave.com/cat/palter http://hide-my-wp.wpwave.com/cat/papilionaceous http://hide-my-wp.wpwave.com/cat/personable http://hide-my-wp.wpwave.com/cat/propylaeum http://hide-my-wp.wpwave.com/cat/pustule http://hide-my-wp.wpwave.com/cat/quartern http://hide-my-wp.wpwave.com/cat/scholarship http://hide-my-wp.wpwave.com/cat/selfconvicted http://hide-my-wp.wpwave.com/cat/showshoe http://hide-my-wp.wpwave.com/cat/sloyd http://hide-my-wp.wpwave.com/cat/aciform/sub http://hide-my-wp.wpwave.com/cat/sublunary http://hide-my-wp.wpwave.com/cat/tamtam http://hide-my-wp.wpwave.com/cat/uncategorized http://hide-my-wp.wpwave.com/cat/weakhearted http://hide-my-wp.wpwave.com/cat/ween http://hide-my-wp.wpwave.com/cat/wellhead http://hide-my-wp.wpwave.com/cat/wellintentioned http://hide-my-wp.wpwave.com/cat/whetstone http://hide-my-wp.wpwave.com/cat/years List of scripts included http://hide-my-wp.wpwave.com/template/js/html5.js http://hide-my-wp.wpwave.com/lib/js/jquery/jquery.js http://hide-my-wp.wpwave.com/lib/js/jquery/jquery-migrate.min.js http://hide-my-wp.wpwave.com/lib/js/jquery/ui/jquery.ui.core.min.js http://hide-my-wp.wpwave.com/lib/js/jquery/ui/jquery.ui.widget.min.js http://hide-my-wp.wpwave.com/lib/js/jquery/ui/jquery.ui.accordion.min.js http://hide-my-wp.wpwave.com/lib/js/jquery/ui/jquery.ui.tabs.min.js http://hide-my-wp.wpwave.com/modules/0f6a208e/js/zilla-shortcodes-lib.js http://hide-my-wp.wpwave.com/template/js/navigation.js http://w.sharethis.com/button/buttons.js http://s.sharethis.com/loader.js

Posted

in

,

by

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.