URGENT – Lost access to our website

Hi There,

Thank you for contacting us and sorry for the inconvenience it caused you.

As you said you are using WordFence along with our plugin so there might be a possibility of the plugin is conflicting WordFence.
In the case of deactivating and deleting the plugin, there is be a possibility of your server is caching the login page.

Suppose you have deactivated the plugin then the whole code present in the plugin will not work so it is possible your server is caching the old page.

Please send us a support request from the plugin or our website so that we can have a look into this and make it work for you.

Looking forward to hearing from you.

Thank you
miniOrange

Hi @poulimiot,

We didn’t hear back from you.
Do let me know if you are still interested or if you need any help.

Hello,

Never had to deplore such vicious issues with any plugins but, at last, we have got rid of it.

FYI, after having purged ALL caches via our CDN, the usual WordPress log in window was displayed again, but after some attempts, WordFence was still blocking any access to our website.

So, we were forced to manually uninstall/reinstall WordFence to finally find out that your “Google Authenticator – WordPress Two Factor Authentication” plugin had purely — and without warning — changed/crossed ALL OUR ADMIN PASSWORDS with your 3 SECURITY QUESTIONS configured method… forbidding us to log in as usual!!!

Furthermore, the automatic security scan (regularly) done by Wordfence afterward sent us the following alert:

File appears to be malicious: wp-content/cache/object/3b2/e20/3b2e20bf1659d5942f51eb009ce6ba86.php
Type: File
Issue Found 16 June 2020 21 h 44 min
Critical
Ignore

Details

Filename: wp-content/cache/object/3b2/e20/3b2e20bf1659d5942f51eb009ce6ba86.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: wp_set_password( ‘password’, 1 )

The issue type is: Backdoor:PHP/wpinfoajinsert.5689
Description: Hardcoded password reset, common part of WordPress backdoors

Not sure yet that your “Google Authenticator – WordPress Two Factor Authentication” virus plugin is involved in that backdoor, but daring to change/cross ALL ADMIN PASSWORDS without warning your potential customers is a pure infamy and cannot be a coincidence.

The worst being that the excellent Wordfence plugin already offers FOR FREE the Two-Factor Authentication option.

So, do not be surprised that we grant you, for such bad practices + waste of (our) time, a 1 star review, and dissuade our clients to be mislead by your plugin.

Anton

• This reply was modified 4 years, 9 months ago by Пулемёт.
• This reply was modified 4 years, 9 months ago by Yui.

Hi @poulimiot,

We apologies for this inconvenience.

There seems to be no part of the two-factor plugin in both file and password reset issues. This seems to be an attack on your website and you might have to clean your website. Let us know if you need help with this.

We do not have any reports of the virus attack due to our plugin and we can assure and guarantee that our plugin has no backdoor for a possible attack.

Regarding password resetting for admin based on the description you provided. This same attack might be a possible reason for the password reset. We never change passwords automatically. It is only done by the users themselves.

And about setting security questions, in our plugin, it is the second layer of security prompted only after user name and password verification and it is not enforced on the user.

On looking more into this issue we found others are also facing the same issue who have not used two-factor plugin: https://www.ads-software.com/support/topic/scan-results-critical-issue-found/.

Hi there!

It was predictable that you would deny the evidence, though several checks have proved that your “Google Authenticator – WordPress Two Factor Authentication” plugin is only responsible of the substitution of ALL OUR ADMIN PASSWORDS with your 3 SECURITY QUESTIONS configured method.

As for the integrity of our website, the daily automatic security scan done by Wordfence did not reveal any attacks, except from the switch and the backdoor found JUST AFTER we activated your plugin (knowing that we did not modify or install anything else in the previous 48 hours).

What a shame!

Anton