As of November 9, 2018, the WP GDPR Compliance plugin has been exploited by hackers. This plugin aids e-commerce site owners in compliance with European privacy standards. Since the very nature of GDPR is to protect the personal data and privacy of EU citizens, it should be tended to as soon as possible to avoid a costly cleanup. WP GDPR Compliance is also known for working in conjunction with many forms including Contact Form 7, Gravity Forms, and WordPress Comments.
The main characteristic of this hack is the addition of new users, users with admin privileges. These administrative users have full access to your WordPress site. With Admin users a hacker can alter your site without your knowledge, including making rouge pages or selling your visitor’s information.
This article shows WP GDPR users how to:
If you are familiar with how to log in to your WordPress backend you can easily see if you are using this plugin.
Step 1: Enter the WordPress backend by going to yourdomain.com/wp-login.php in your browser.
Step 2: Login with your WordPress username and password and navigate to Plugins and click on Installed Plugins on the left-hand side of your screen.
Step 3: Scroll down through any installed plugins to see if WP GDPR Compliance is within your list. On this screen, you’ll be able to see the version of the plugin to the right of the plugin name. Any version less than 1.4.3 is vulnerable and should be updated.
Although this is a severe exploit, it is easy to patch and protect yourself by performing a simple update.
Step 1: Follow the steps above in the section “How to Identify if you use the WP GDPR plugin” to login and locate your Plugins menu.
Step 2: Afterwards, find WP GDPR Compliance, if you are running an outdated version you’ll see a message letting you know you can update. Selecting the “update now” link will automatically upgrade to the newest version.
There is a couple of routes for identifying this hack, listed below, but you can also use the Wordfence Security Scanner or our read our blog article on the subject of exploitation.
Indicators of Compromise include the following characteristics:
- Creation of new users with Admin privileges
- A database user in the wp-users table named t2trollherten and t3trollherten
- URL’s inserted into the code have seen as pornmam.com
- Installation of the 2MB Autocode plugin, executed by WP-Cron via WooCommerce’s woocommerce_plugin_background_installer
- The wp_options table within your database has an entry starting with 2mb_autocode or default_role is set to anything other than “subscriber”
- Recent edits to the wp-super-cache/wp-cache.php file
- Creation of a backdoor file, /wp-content/uploads/…/wp-upd.php
- Incoming IPs from:
- 109.234.39.250
- 109.234.37.214
- 195.123.213.91
- 46.39.65.176
If you deduced your site is compromised from previously mentioned characteristics, then you’ll want to remedy it immediately since other sites on the same server can be affected.
- Liquid Web customer can purchase a Malware Clean Up package
- Manually remove the code from the infected files
- Restore from a backup dated before November 8, 2018 (keep in mind this will still have the old version, and your site will still be in danger)
