2.13.1.1.11. Popular plugin vulnerabilities

In February-March 2020, vulnerabilities were found in very popular plugins:

  • Duplicator... The vulnerability found allows you to get a configuration file or any other site file, which in turn can almost completely open access to site management and changes.
  • Popup Builder... The vulnerability found allows an unauthorized user to execute any JavaScript code on any page, and authorized users with any access rights to export important site data, as well as gain access to control the plugin itself.

There are also many other plugins in which vulnerabilities have been found. We recommend that you check the security of your site by checking for vulnerabilities for the themes and plugins used. We also strongly recommend not to use third-party developments or copies of paid extensions.

Information about the vulnerabilities found in plugins can be found, for example, on the following sites:

  • WordPress Vulnerabilities — found vulnerabilities in WordPress plugins and themes.
  • WordFence — found vulnerabilities CMS WordPress and related products.
  • CVE — found vulnerabilities CMS WordPress and related products.

At the moment, the most common consequence of a hack is the installation of a redirect to third—party sites. If you have the specified plugins or you suspect that your site may have been hacked, we recommend that you follow the steps to elimination of vulnerabilities.

Warning!

This article provides only general recommendations for troubleshooting. We strongly recommend contacting specialists in the field of site development to restore the functionality and ensure the security of the site.

To eliminate the problems that have arisen, we strongly recommend that you follow the following steps:

  1. Temporarily block access to the site for troubleshooting steps:
    • If you do not have additional settings in the section "Access restriction", then customize access only from your or desired IP addresses by enabling the option "Deny access to site for everyone, allow access only for IPs below" and specifying your IP address in the field "List of IP addresses".
    • If you have previously set access settings in the section "Access restriction", then you should install access restriction in .htaccessby specifying your IP address so that only access from it is possible.
  2. Create a backup copy of the site and database with the current state in case of problems in restoring the site's health.
  3. Produce reinstallation core WordPress.
  4. Change the site urlif it was affected and a redirect to third-party sites occurs.
  5. Update plugins on the site to the latest version.
  6. Change administrator password. We also recommend Change passwords of all users or recommend to do it yourself.
  7. Change the passwords of the connected database and FTP-users:
    • Change the database user password, and update WordPress config file settings.
    • Change user password FTP and update them if used anywhere on the site.
  8. Disable the restriction of access to the site, depending on the selected method from paragraph 1.
  9. Analyze access logs for suspicious requests. In the search box, enter URL action=duplicator_download or wp-config.php and check the logs for the last few weeks / months. If similar requests are found, then you should consider the possibility access restrictions for the IP addresses from which they were executed.
Content