For the last 7 years, I have been using WordPress to drive my online business. WordPress is perhaps the most crucial tool in any SEO’s set of tools. To put things into perspective, it has been installed over 455,000,000 times, which means that it is currently being used by 35% of website owners who can attest to its true potential.
There is a limitless number of plugins and theme combinations that help make it the ideal platform for those who aren’t that deep into tech. With WordPress, everyone now has an opportunity to turn their dreams and ideas into a reality before an awaiting online audience.
Unfortunately, this is the same aspect of WordPress that makes it a haven for malicious “black hat” marketers who can hack into your site and cause it malfunction, and they recently managed to do this on a large scale.
If you are an Elementor Pro user, then you may have been affected.
And you might not have even realized it.
ELEMENTOR PRO VULNERABILITY
On the 6th of May, Wordfence published an article that revealed how 1 million sites might be at risk of an active attack.
Attackers exploited a weakness in Elementor Pro’s security to redirect website visitors to their own websites and even take total control of the website.
However, the Elementor team took quick action to fix this flaw, and users were asked to update to the latest version immediately.
While the update gave many users peace of mind, including me, I later found out that the attacker already had access to a majority of the sites that we manage and that the update wouldn’t be of much help.
Just keep in mind that in case your website has already been affected, then updating it won’t fix it.
WHAT CAN AN ATTACKER DO WITH MY WEBSITE?
If the attack is executed perfectly, then this specific attack will install a web shell known as “wp-xmlrpc.php” – it has been named this way so that it can blend with your system files.
A web shell grants the attacker complete access to your website and in most cases, your server, and this means that they are able to:
- Add, modify, or delete content
- Add links for SEO value
- Redirect your traffic to their sites
- Remove everything
- Do anything else
What’s more, in case you are using WooCommerce, then the hacker might also get access to your customer data.
HOW CAN ONE FIND OUT IF THEIR SITE HAS BEEN HACKED?
You don’t need to be tech-savvy to figure out if your website has been compromised.
You just need to follow the following steps:
1. REVIEW WORDPRESS USERS
One of the most obvious signs that an authorized party has attempted to take advantage of the Elementor Pro vulnerability is a new user on the site.
Receiving an email from WordPress notifying you that a new user was created between the first or second week of May is a surefire way of knowing that you have been hacked.
First, use your admin account to log into your WordPress admin area and then browse to the “Users” section.
Be on the lookout for suspicious or unfamiliar usernames.
WebARX has released a list of all the identified usernames that have been used in the attack, as of now.
In cased one of the usernames appears in your panel, then you need to rush immediately to If You’ve Been Hacked.
Please note that just because you don’t find an unfamiliar username, it doesn’t mean that your website is safe.
2. REVIEW YOUR FILES
Use FTP/SFTP/File Manager to go through your WordPress files.
While still on your WordPress root folder, which is normally the first folder that you see after logging in. Search for a file named wp-xmlrpc.php.
In case you find such a file, then the attacker managed to gain access. Trying to delete this file won’t help the situation at all.
In case you find any files that seem out of the ordinary or unfamiliar to you, then it might have probably been planted by a hacker.
3. PERFORM A SECURITY SCAN
In case you utilize a web hosting company that manages this for you, such as WPX Hosting, WPEngine, SiteGround, and so on, then they should do this for you.
Instead of performing your own scan with Wordfence or Sucuri, this is usually a better option since your host might have the permission to scan system files that these plugins might not have access to.
While common free WordPress security plugins can detect an alteration in the WordPress core files, they can’t guarantee that a clean scan result translates to a safe site.
Paid subscribers those tools are normally covered by a firewall, and it is most likely that the attack failed.
4. VISIT YOUR SITE
In case you have visited your own site and you were redirected to another site, then you might have been hacked.
No one actually knows the manner in which the malicious redirect works.
Check your website using the following techniques:
- Visit your website through a proxy
- Use other browsers while in Incognito or Private mode.
- Click through your website from Google or Social Media
If, after doing any of these, you were redirected to another website other than your site, then you might have been hacked.
WHAT IF YOU HAVE BEEN HACKED OR YOU ARE NOT CERTAIN?
ROLLBACK TO A PREVIOUS VERSION
Most web hosts provide a 14 to 30 days backup feature. Maybe, just maybe, you will come across this article in time in case you have been compromised. If so, you can roll your website back to any date before the attack.
Keep in mind that in case your backups have been stored on your server with anything like Updraft, then there is a possibility that they might be affected too.
HOW TO FIND OUT WHEN YOU WERE ATTACKED
WordPress normally shows registration times and dates by default.
Install Admin Columns Plugin
Make sure you enable the “Registration” column for “Users” in the plugin setting.
After doing this, when you visit the WordPress ‘Users’ page, you will see a new column displaying the date that the masquerading user was created.
Or in case you have your server access logs, then you can search for an entry called “wpstaff.php”.
After the backup has been restored, you need to immediately update your plugins to avoid another attack.
Once more, check for the user and the harmful files.
MANAGED HOSTING SUPPORT
In case you are using a managed host like any of those mentioned above, then you need to contact their support to discuss their security measures and if they provide malware cleaning.
Hosts like WPEngine and WPX Hosting offer this free of charge in all their packages.
Most “done for you” malware removal service providers have already made reports on the latest Elementor Pro issue.
The following are some of these sites; however, you should your own research since I haven’t yet tested them personally and am also not affiliated:
– site a
– site b
While it might feel like a drastic measure if you were already considering rebuilding your site regardless, then now might be the ideal time to rebuild from scratch.
This way, you will be guaranteed that you do not have any harmful files operating in the foreground.
You need to ensure that you use a different install or hosting account.
AVOIDING AN ATTACK
Not knowing beforehand which plugins have vulnerabilities might make it hard to prevent a hack.
Here are some fundamental tips for avoiding future hacks:
– Go for a managed WordPress host as these hosts often provide malware scanning along with removal, and toughen their WP installations by default. They stop the execution of PHP files in uploads folders
– Update Plugins, Themes, and WordPress Core
– Makes use of a security plugin. For basic protection, enable Firewall and WordPress hardening. Perfect solutions include Sucuri, WordFence Premium, and WebARX.
– You can also check WPVuLnBD or Run WPScan to identify at-risk plugins and themes that you might be using.
In case your WordPress site was hacked, tell us in the comments, how you were able to tackle the problem.