2.14.1.1.11. Popular plugin vulnerabilities

In February-March 2020, vulnerabilities were found in very popular plugins:

• Duplicator. The vulnerability found allows you to get a configuration file or any other site file, which in turn can almost completely open access to site management and changes.
• Popup Builder. The vulnerability found allows an unauthorized user to execute any JavaScript code on any page, and authorized users with any access rights to export important site data, as well as gain access to control the plugin itself.

There are also many other plugins in which vulnerabilities have been found. We recommend that you check the security of your site by checking for vulnerabilities for the themes and plugins used. We also strongly recommend not to use third-party developments or copies of paid extensions.

Information about the vulnerabilities found in plugins can be found, for example, on the following sites:

• WordPress Vulnerabilities — found vulnerabilities in WordPress plugins and themes.
• WordFence — Vulnerabilities found in the WordPress CMS and related products.
• CVE — Vulnerabilities found in the WordPress CMS and related products.

At the moment, the most common consequence of a hack is the installation of a redirect to third—party sites. If you have the specified plugins or you suspect that your site may have been hacked, we recommend that you follow the steps to elimination of vulnerabilities.

To eliminate the problems that have arisen, we strongly recommend that you follow the following steps:

1. Temporarily block access to the site for troubleshooting steps:
   • If you do not have additional settings in the section "Access restriction», then customize access only from your or desired IP addresses by enabling the option "Deny access to site for everyone, allow access only for IPs below" and specifying your IP address in the field "List of IP addresses".
   • If you have previously set access settings in the section "Access restriction», then следует установить access restriction in .htaccessby specifying your IP address so that only access from it is possible.
2. Create a backup copy of the site and database with the current state in case of problems in restoring the site's health.
3. Produce reinstallation core WordPress.
4. Change the site urlif it was affected and a redirect to third-party sites occurs.
5. Update plugins on the site to the latest version.
6. Change administrator password. We also recommend Change passwords of all users or recommend to do it yourself.
7. Change the passwords of the connected database and FTP users:
   • Change the database user password, and update WordPress config file settings.
   • Change password of the FTP users and update them if they have been used elsewhere on the site.
8. Disable the restriction of access to the site, depending on the selected method from paragraph 1.
9. Analyze access logs for suspicious requests. Enter the URL in the search field action=duplicator_download or wp-config.php и проверьте логи за последние несколько недель/месяцев. Если будут найдены подобные запросы, then следует рассмотреть возможность access restrictions for the IP addresses from which they were executed.