cPanel hacking of WordPress

Several months ago, I noticed that of the many websites I had on one server, one of them was not updating properly. In fact, it never updated WordPress, and it actually acted like there was no such thing as an update.

I forced an upgrade by uploading the new core via FTP, but as this was a live site, I didn’t want to do anything crazy to the database, or even take the site offline at all. Upgrading via FTP worked, but it still never flagged or showed that updates were needed, as time went on.

Usually, and this is seen on one old demo site, the dashboard will say the current version number, along with the button to update if one is available.

Also, navigating to the Upgrades page on the dashboard,

This was something that I did not have time to deal with. It was a minor issue, as it was only affecting a couple of sites. However, I stumbled across this blog today dealing with how cPanel had been changing Core to prevent upgrades. Suddenly, I realized what was happening.

It turned out the culprit in this case wasn’t even cPanel – it was a GoDaddy plugin. What’s weird is that the site had never been on GoDaddy. It was once on MediaTemple, early on, and I’m thinking that’s a possible culprit since they’re related. It has been on multiple hosts, and I can’t verify how it happened at all, but there was a plugin placed in the mu-plugins folder – which was why the manual FTP updates hadn’t fixed a thing! Due to the above blog post I was able to search on various terms, and I located the mu-plugins GoDaddy plugin by searching for “core_upgrade”.

Header information from the plugin:

Plugin Name: System Plugin
Plugin URI:
Author URI:
Text Domain: gd_system
Domain Path: /gd-system-plugin/lang

Offending item snippet:

// Don't auto upgrade core
add_filter( 'auto_update_core', '__return_false' );
add_filter( 'pre_site_transient_update_core', create_function( '', 'global $wp_version; $x = new stdClass(); $x->version_checked = $wp_version; return $x;' ) );
add_filter( 'user_has_cap', array( $this, 'block_core_upgrades' ), 10, 3 );

// Use default WP settings for these three
// add_filter( 'auto_update_plugin', '__return_false' );
// add_filter( 'auto_update_theme', '__return_false' );

// Disable e-mails 3.7 Beta -> RC
add_filter( 'automatic_updates_send_email', '__return_false' );

// Disable e-mails 3.7 RC -> Final
add_filter( 'enable_auto_upgrade_email', '__return_false' );

// No debug e-mails
add_filter( 'automatic_updates_send_debug_email', '__return_false' );

// 3.7 Final filter
add_filter( 'auto_core_update_send_email', '__return_false' );

As it was the only mu-plugin, I deleted the whole mu-plugins directory from the installation to remove all the offending code. Magically… we have an update button now, and are happily running the very latest version of WordPress.

Leave a Reply

Your email address will not be published. Required fields are marked *