Last night we got an email from a friend saying he found some new users with administrator privileges on some of his WordPress websites and asked us to check it out.
We started to investigate, and it seems that the websites had a thing in common – the WP GDPR Compliance plugin.
It looks like there is a vulnerability in the plugin and there have been a series of attacks on sites using this plugin.
There are different stages of infection:
- administrator users are being created
- files have been modified
- redirection to Russian website
We recommend you check whether new users with the name “t3trollherten“, “t2trollherten” or “trollherten” have recently appeared on your site.
After creating the users, attackers modified the files of other PHP scripts (plugins). For example, we found modified PHP files in the Akismet plugin folder.
On some websites, we found this Pastebin URL in wp_options at siteurl.
https://pastebin.com/raw/V8SVyu2P?At this point the website starts to break, you get database connection errors or your website is redirected to another site, sometimes Russian.
How to recover from the hack
If there are no users you should be fine, your website was probably not attacked.
To prevent that from happening update the WP GDPR Compliance plugin to the latest version, the developers have fixed the
Ideally, keep up-to-date all WordPress plugins and themes to prevent possible security issues like this.
If you find these users, there’s a chance they didn’t get to infect the site but you can’t know for sure so it’s probably best to restore from a backup, then update the WP GDPR Compliance plugin.
Also, if you have a security plugin like the Defender Pro, scan your WordPress instance to see if it’s clean.
If you can’t restore or you don’t have a backup, you’ll have to clean the website manually:
- delete the malicious users from the database
- delete all PHP and JS files (only keep wp-content/uploads)
- reinstall WordPress and the themes and plugins you use
If you want to avoid these situations, consider switching from shared hosting to an expert WordPress hosting. None of our managed WordPress hosting customers were affected, all affected websites were on shared hosting.
Not to say it is because of hosting but on managed hosting, you get proactive monitoring, managed updates, and you can avoid this type of situation.
When we identified what was going on, we immediately updated the plugin on our clients’ websites that had the vulnerable version and performed an automated scan.
We also have clients that host with us but we do not manage their websites, we don’t have access to their WordPress instances.
So we search the server to find the wp-gdpr-compliance folder in order to identify the clients that used the plugin. We emailed them, notifying the security vulnerability with instructions on how to check if their websites were hacked.
If you also need help, don’t hesitate to get in touch.
Simon Maddox says
December 4, 2018 at 6:56 amSuggest you check your Settings/General.
It’s common for the hacker to set the Membership: Anyone can register flag and to set the New user default role to Administrator.
An easy way to give them ongoing access that does not show up on a scan of the site.