The Risk of an Expired Domain Infecting Your Site Visitor’s Computers

Get your FREE WordPress Troubleshooting Guide – see how to fix most WordPress problems!

Signs showing a route that has been re-directedAnother twist on what can happen if you don’t keep your plugins up to date: your website visitors can be re-directed to a site that, at the least, will present them with spammy ads and, at worst, will attempt to infect their computers.

A recent article on the Sucuri blog reported on a plugin that was surrendered by its original author and taken over by other, legitimate, owners.

However, sites on which this plugin was installed, but where the website owners failed to update it, started redirecting their visitors to a spam server.

The plugin in question relied on some JavaScript that linked to the plugin owner’s original domain to carry out some of its functions.

When the original author gave up their involvement with the plugin it was taken over by others (legitimate, as I said) and it was moved to a domain owned by the new developers.

The plugin was updated to reflect the new domain in the JavaScript snippets – so everything should have been fine.

Except for those who didn’t update the plugin.

So what happened to those who didn’t update the plugin?

Domains that have lots of links going to them (as this one would have, given that it was the home of a successful plugin) are valuable – and so highly attractive to people who buy and sell domains for a living.

Between the purchase and sale of these domains many of these people host them on a server and make money on them by placing ads.

Or placing malware on them to infect the computers of visitors.

What happened in the case of this plugin was that the original domain eventually expired and was bought by one of these domain traders, who hosted it on a server that was generating pop-ups.

The pop-ups attempted to lock the visitor’s browser and displayed a message asking the site visitor to call them (no doubt in order to carry out some form of ransom demand, but that’s only my assumption – it’s not stated in the Sucuri article).

Because the plugin had not been updated the JavaScript still linked to the original domain, which was now owned by the bad guys. So site visitors were being re-directed to the server and being presented with these pop-ups.

The new plugin owners had done all the right things by updating the JavaScript and issuing a plugin update.

The website owners had simply failed to apply it.


The message for website owners is clear (as always!):

  1. Apply plugin updates as soon as they are available
  2. Apply theme updates as soon as they are available (the same thing as happened with this plugin can happen with themes)
  3. Apply WordPress updates as soon as they are available (I frequently read comments by people on forums saying they are going to wait for the x.x.1 release before updating WordPress)
  4. Remove from your server any application or software that is not necessary for the functioning of your website. A colleague recently discovered a PHP application on a customer’s server that enables you to change file paths in the WordPress database. A perfectly legitimate application but one that should be removed as soon as you’ve made the changes, not left for a hacker to exploit
  5. Only install plugins that are either premium or meet the criteria I set out on this page

As always, if you would like to talk to us about keeping your WordPress site as secure as possible and recovering quickly from hacks please:


Martin Malden

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.