• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Simplenet

WordPress Hosting in Europe

  • Web Hosting
    • Managed WordPress
    • Shared Hosting
  • Optimisation
  • Maintenance
  • Blog
  • Support
    • Knowledge Base
    • Submit Ticket
  • Client Area

Security issues in the WP GDPR Compliance plugin

November 9, 2018 1 Comment

Last night we got an email from a friend saying he found some new users with administrator privileges on some of his WordPress websites and asked us to check it out.

We started to investigate, and it seems that the websites had a thing in common – the WP GDPR Compliance plugin.

It looks like there is a vulnerability in the plugin and there have been a series of attacks on sites using this plugin.

There are different stages of infection:

  • administrator users are being created
  • files have been modified
  • redirection to Russian website

We recommend you check whether new users with the name “t3trollherten“, “t2trollherten” or “trollherten” have recently appeared on your site.

After creating the users, attackers modified the files of other PHP scripts (plugins). For example, we found modified PHP files in the Akismet plugin folder.

On some websites, we found this Pastebin URL in wp_options at siteurl.

https://pastebin.com/raw/V8SVyu2P?

At this point the website starts to break, you get database connection errors or your website is redirected to another site, sometimes Russian.

How to recover from the hack

If there are no users you should be fine, your website was probably not attacked.

To prevent that from happening update the WP GDPR Compliance plugin to the latest version, the developers have fixed the vulnerabilitiesies in the 1.4.3 release.

Ideally, keep up-to-date all WordPress plugins and themes to prevent possible security issues like this.

If you find these users, there’s a chance they didn’t get to infect the site but you can’t know for sure so it’s probably best to restore from a backup, then update the WP GDPR Compliance plugin.

Also, if you have a security plugin like the Defender Pro, scan your WordPress instance to see if it’s clean.

If you can’t restore or you don’t have a backup, you’ll have to clean the website manually:

  • delete the malicious users from the database
  • delete all PHP and JS files (only keep wp-content/uploads)
  • reinstall WordPress and the themes and plugins you use

If you want to avoid these situations, consider switching from shared hosting to an expert WordPress hosting. None of our managed WordPress hosting customers were affected, all affected websites were on shared hosting.

Not to say it is because of hosting but on managed hosting, you get proactive monitoring, managed updates, and you can avoid this type of situation.

When we identified what was going on, we immediately updated the plugin on our clients’ websites that had the vulnerable version and performed an automated scan.

We also have clients that host with us but we do not manage their websites, we don’t have access to their WordPress instances.

So we search the server to find the wp-gdpr-compliance folder in order to identify the clients that used the plugin. We emailed them, notifying the security vulnerability with instructions on how to check if their websites were hacked.

If you also need help, don’t hesitate to get in touch.

Filed Under: News

Looking for WordPress Hosting?

We are WordPress experts, and since 2012 we’ve been helping website owners grow their online businesses, from affordable solutions for beginners to advanced solutions for high-traffic online stores, newspapers and blogs.

See plans

Reader Interactions

Comments

  1. Simon Maddox says

    December 4, 2018 at 6:56 am

    Suggest you check your Settings/General.

    It’s common for the hacker to set the Membership: Anyone can register flag and to set the New user default role to Administrator.

    An easy way to give them ongoing access that does not show up on a scan of the site.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

Simplenet

We help online entrepreneurs have faster and more scalable WordPress sites, save money and accelerate the growth of their online business.

  • WordPress
  • Facebook
  • Twitter
  • YouTube
  • GitHub

Recent blog posts

Why and How to Learn MySQL as a WordPress Developer

May 19, 2022

Web 3.0 – Expectations, Truths, and Myths

March 31, 2022

The Beginner’s Guide to Headless WordPress

January 18, 2022

Prepare Your SEO Strategy for 2022 – A Recap of Key Updates in 2021

November 18, 2021

10 Worth Reading Newsletters for Developers

October 5, 2021

Resouces

  • Learn WordPress
  • WordPress Performance
  • Case Studies
  • Genesis Framework Child Themes
  • Our Blog
  • Knowledge Base

Legal info

  • Terms & conditions
  • Privacy Policy
  • Data processing agreement
  • Acceptable use policy
  • Domain name agreement

Copyright © 2022 · Simplenet Hosting srl · All Rights Reserved