WordPress redirect hack [Solved]

This week, a massive hack attempt on numerous wordpress based websites happened.

The hack causes your wordpress website to redirect to getmyfreetraffic.com or any other similar website.

This was an interesting find and was due to a zero day exploit in a wordpress plugin.

I successfully fixed one of my clients website infected with this virus / hack.

Please let me know if you are facing this issue where your wordpress site has been hacked and redirecting to getmyfreetraffic or any other website.

You can contact me through commenting here using your email id or:

Facebook page: https://facebook.com/nabtron

2 comments on “WordPress redirect hack [Solved]

  1. I have just finished fixing a site affected by this hack. It is a site running woo-commerce, but fortunately no customer data was affected.

    The first alert to the hack was that the site was redirecting to a spammer’s site called getmyfreetraffic(dot)com.

    I have a few tips to add because, even though the version, theme and all plugins were up to date and the site is running Sucuri Security, it still got hacked.

    1. This article explains the vulnerability: https://blog.sucuri.net/2019/03/0day-vulnerability-in-easy-wp-smtp-affects-thousands-of-sites.html

    2. When I initially checked the site the latest version of the Easy WP SMTP was showing BUT the vulnerability was already set, so I removed the plugin then reloaded it, that did not fix it.

    3. Checking the database I found malicious links in the _options table and deleted those.

    4. In the admin dashboard under users there were 2 new users with admin privileges. After checking them out and saving copies of their IPs, usernames and passwords, I deleted them.
    The main culprit, and one you can find a lot of info about by googling is
    Username: devidpentesting99
    Email: [email protected]

    5. IMPORTANT STEP THAT I INITIALLY MISSED – In the settings > general section “new default role” had been changed to “administrator” and there was a tick in the “anyone can register” box. I changed default role to “customer” (but yours might be “subscriber” depending on what you use your site for) and unticked “anyone can register”.

    6. I decided I could live without the plugin Easy WP SMTP as the site function fine without it, so I deleted it.

    7. At the same time I deleted several other old plugins that were no longer needed.

    8. I installed WP Htaccess Editor plugin and added the following the end after # END WordPress:

    # Disable directory browsing
    Options All -Indexes
    # Block wp-includes folder and files
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    

    That stops anyone being able to browse the directories of wp-admin and wp-includes and also forces all pages to go to the SSL version (some were not).

    9. Once I was sure everything was updated I used cpanel filemanager to change the permissions on index.php, wp-cofig.php and wp-cron.php to 4 4 4 so they were not writable.

    10. I added the plugin Disable XML-RPC to disable the XML-RPC API .

    Adding all this here because it may help someone else who has had their wordpress site hacked by the Easy WP SMPT vulnerability and although it looks like a simple list of actions, it took me 3 days to work all this out and fix it!

    Best of luck to anyone else dealing with this hack.

Leave a Reply

Your email address will not be published.