News Courtesy of ZDNet.com:

As popular as Duplicator is, I’ve never used yet on the dozens of websites I’ve migrated from or to my server over my career. I’ve had great success with both All-in-One WP Migration and Backup Guard for moving websites. They each offer a premium version, however, I’ve had no problems using the free options for either. At some point, I plan to purchase one of them with a developer license, since there is a little extra legwork required for importing databases into the new server.

The “vulnerability” with Duplicator shouldn’t rest solely on the developer’s shoulders. The main issue pertains to a zip file and php file that aren’t deleted after a completed migration. As a server administrator, I believe it is part of my job to clean up any mess or unused files that are generated by a theme or plugin. To make the assumption that Duplicator will perform that operation is a little presumptuous. A good admin should routinely clear out any anything such as cache and installation files.

If you do use Duplicator, don’t stress out. The latest version patches this issue. It is odd that this is just being discovered now, or at least made public. There will be, no doubt, a continued barrage of hijacking attempts by hackers that find websites with duplicator installed. I remember a few years ago when a huge Revolution Slider exploit wreaked havoc across the internet and caused many sites to be defaced or infected with spam/malware. To this day, I still see failed attempts by these punks trying to upload revslider.zip. Unfortunately, with the rising popularity of WordPress, it’s only natural that exploits will be increasing as well.