If you are familiar with how to log in to your WordPress backend you can easily see if you are using this plugin. Step 1: Enter the WordPress backend by going to yourdomain.com/wp-login.php in your browser. Step 2: Login with your WordPress username and password and navigate to Plugins and click on Installed Plugins on the left-hand side of your screen. Step 3: Scroll down through any installed plugins to see if WP GDPR Compliance is within your list. On this screen, you’ll be able to see the version of the plugin to the right of the plugin name. Any version less than 1.4.3 is vulnerable and should be updated.

Note:
Documented evidence shows an inactive GDPR plugin is not vulnerable to the exploit.
Although this is a severe exploit, it is easy to patch and protect yourself by performing a simple update. Step 1: Follow the steps above in the section “How to Identify if you use the WP GDPR plugin” to login and locate your Plugins menu. Step 2: Afterwards, find WP GDPR Compliance, if you are running an outdated version you’ll see a message letting you know you can update. Selecting the “update now” link will automatically upgrade to the newest version.

There is a couple of routes for identifying this hack, listed below, but you can also use the Wordfence Security Scanner or our read our blog article on the subject of exploitation. Indicators of Compromise include the following characteristics:
- Creation of new users with Admin privileges
- A database user in the wp-users table named t2trollherten and t3trollherten
- URL’s inserted into the code have seen as pornmam.com
- Installation of the 2MB Autocode plugin, executed by WP-Cron via WooCommerce’s woocommerce_plugin_background_installer
- The wp_options table within your database has an entry starting with 2mb_autocode or default_role is set to anything other than “subscriber”
- Recent edits to the wp-super-cache/wp-cache.php file
- Creation of a backdoor file, /wp-content/uploads/…/wp-upd.php
- Incoming IPs from:
- 109.234.39.250
- 109.234.37.214
- 195.123.213.91
- 46.39.65.176
If you deduced your site is compromised from previously mentioned characteristics, then you’ll want to remedy it immediately since other sites on the same server can be affected.
- Liquid Web customer can purchase a Malware Clean Up package
- Manually remove the code from the infected files
- Restore from a backup dated before November 8, 2018 (keep in mind this will still have the old version, and your site will still be in danger)