If you visited this site yesterday, you’ll have found it in a bit of a mess. While the content was displaying, there was zero formatting and no active theme.
Initially, I thought this was a caching issue – some cached corrupted files being loaded – so I cleared out the local cache. Nope, that wasn’t the problem.
For additional site security, I use Cloudflare which filters out a lot of bad traffic and such. It also has its own caching mechanism and provides an additional security layer between visitors and my site.
I cleared out the Cloudflare cache. That didn’t fix the problem either.
Next I took Internet Marketing Strategies out of the Cloudflare network in case there were problems with traffic being routed through it.
My site remained broken.
A common reason for a site not working as expected is a bad plugin. So I updated a couple of plugins.
That didn’t change anything.
I use a security plugin on the site to prevent all sorts of bad stuff, so I deactivated and temporarily deleted that.
And still the site was broken.
Next step was to move all the plugins to a temporary folder so they wouldn’t be used on the site. This would identify if the problem was down to a bad plugin.
That didn’t make any difference either.
I noticed when I was accessing the WordPress admin pages, that I kept having to log back in and I’d be redirected to erealitatea.net – a domain I don’t own.
Maybe my theme got corrupted but the strange redirects to erealitatea.net seemed to rule that out. Nevertheless, for completeness sake, I switched to the twenty twelve theme.
That just proved that the problem wasn’t the theme.
At this point, I was pretty sure that the site had been hacked.
I ran the site through a malware check at Sucuri, but it came up clean. Running it through the Virus Checker in cPanel also showed it to be uninfected.
Checking my email, I came across an email from Wordfence that vulnerabilities in the WP GDPR Compliance Plugin had been exploited in the wild – that means hackers found holes in the plugin that the could exploit to gain access to a site for nefarious ends.
It turns out that when this issue was identified, the plugin was removed from the WordPress plugin repository on Thursday (Nov. 8th) to prevent webmasters from unwittingly installing a compromised plugin.
The plugin developers quickly released version 1.4.3, an update which patched multiple critical vulnerabilities. As I write this, the plugin has been reinstated in the WordPress repository and has over 100,000 active installs.
The reported vulnerabilities in the plugin allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites.
If you want a more technical explanation of what the plugin exploit did, read this post on the Wordfence blog.
And, guess what, I do use the GDPR plugin on this site, or at least I did.
Until the WP GDPR Compliance patch was released on Thursday, more than 100,000 WordPress sites using the plugin were vulnerable to this type of attack.
If you use the WP GDPR Compliance plugin on your site, upgrade to V1.4.3 immediately if you haven’t done so already.
I do regular backups of my sites with the BackupBuddy plugin. I learned several years ago when I was new to WordPress and my blogs were continuously being hacked that relying on your web host to make backups was a mistake.
So I always do, at the very least, a complete backup of the site (source files and database) once a month. It depends on how frequently I post to a blog, but a good rule-of-thumb is to do a database backup each time you publish a post. Otherwise, you run the risk of losing your latest content if your site is hacked.
To combat my site hack, I restored the latest complete backup I had from last week.
I then deactivated and deleted the WP GDPR Compliance plugin (which was active in the restored backup).
No point in getting hacked again! 🙂
Those weird redirects to erealitatea.net disappeared.
I wanted to test if they were being imposed from corrupt WordPress files or from somewhere in the site database.
So I then restored the most recent database backup I had – from Friday (I took one before I restored the site).
And, lo and behold, redirects to erealitatea.net reappeared.
So my database had been compromised.
I restored previous daily database backups until I got to Wednesday’s and the redirects disappeared again.
I don’t post to this blog all that often, so I restored the database from October 31st, the day after my last post here, just to be on the safe side.
What You Can Learn From This
1. If you haven’t visited your own blog in recent days, do it now to check it’s loading and displaying correctly, especially if you use the WP GDPR Compliance plugin on your site.
2. Update the WP GDPR Compliance plugin on your site to the latest V1.4.3 edition immediately.
3. Always, always, always manage your own site backups. Do them frequently – a complete site backup at least once a month and database backups at least once a week.
And download them to your PC. Don’t rely on your web host ot to and keep backups for you.
4. Hackers never stop. They are constantly probing for weaknesses and vulnerabilities in WordPress itself and the tens of thousands of plugins available for it.
Make your site as secure as possible from being hacked. There’s no 100% guarantee that you’ll prevent a hack (as you’ve learned from my experience) just as putting a sophisticated burglar alarm in your house doesn’t guarantee you won’t get robbed.
But it makes it more likely that the bad guys won’t want to waste time breaking into a secure site and will move on to an easier target.
5. Security holes are only plugged where they are discovered.
There are vulnerabilities that are currently being exploited that security companies have not identified yet.
But when they are, plugin developers will patch their plugins and release an update. Same with WordPress itself.
So you should upgrade your WordPress and plugins whenever new versions are released.
6. I was able to easily recover my site because I had backups I could revert to.
If you rely on your web host, you may find that they only keep a few recent backups and if your site has been hacked for a long period of time, your web host’s backups may be all of the hacked version of the site.
This happened to me in my early days and I lost the site as a result.
7. Check out my Top Design Blogs site for more articles on how to make your WordPress sites more secure.
Filed under: WordPress