Comments on: WordPress redirect hack [Solved] https://nabtron.com/wordpress-redirect-hack/ Technology & Programming Guide Sun, 31 Mar 2019 03:03:11 +0000 hourly 1 https://wordpress.org/?v=6.5.2 By: Nabtron https://nabtron.com/wordpress-redirect-hack/#comment-20191 Sun, 31 Mar 2019 03:03:11 +0000 https://nabtron.com/?p=10888#comment-20191 In reply to Jane Oak.

Thank you for detailed description of steps how you fixed it. Especially important is the default role of the registering user!

]]>
By: Jane Oak https://nabtron.com/wordpress-redirect-hack/#comment-20190 Tue, 26 Mar 2019 02:04:54 +0000 https://nabtron.com/?p=10888#comment-20190 I have just finished fixing a site affected by this hack. It is a site running woo-commerce, but fortunately no customer data was affected.

The first alert to the hack was that the site was redirecting to a spammer’s site called getmyfreetraffic(dot)com.

I have a few tips to add because, even though the version, theme and all plugins were up to date and the site is running Sucuri Security, it still got hacked.

1. This article explains the vulnerability: https://blog.sucuri.net/2019/03/0day-vulnerability-in-easy-wp-smtp-affects-thousands-of-sites.html

2. When I initially checked the site the latest version of the Easy WP SMTP was showing BUT the vulnerability was already set, so I removed the plugin then reloaded it, that did not fix it.

3. Checking the database I found malicious links in the _options table and deleted those.

4. In the admin dashboard under users there were 2 new users with admin privileges. After checking them out and saving copies of their IPs, usernames and passwords, I deleted them.
The main culprit, and one you can find a lot of info about by googling is
Username: devidpentesting99
Email: [email protected]

5. IMPORTANT STEP THAT I INITIALLY MISSED – In the settings > general section “new default role” had been changed to “administrator” and there was a tick in the “anyone can register” box. I changed default role to “customer” (but yours might be “subscriber” depending on what you use your site for) and unticked “anyone can register”.

6. I decided I could live without the plugin Easy WP SMTP as the site function fine without it, so I deleted it.

7. At the same time I deleted several other old plugins that were no longer needed.

8. I installed WP Htaccess Editor plugin and added the following the end after # END WordPress:

# Disable directory browsing
Options All -Indexes
# Block wp-includes folder and files

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That stops anyone being able to browse the directories of wp-admin and wp-includes and also forces all pages to go to the SSL version (some were not).

9. Once I was sure everything was updated I used cpanel filemanager to change the permissions on index.php, wp-cofig.php and wp-cron.php to 4 4 4 so they were not writable.

10. I added the plugin Disable XML-RPC to disable the XML-RPC API .

Adding all this here because it may help someone else who has had their wordpress site hacked by the Easy WP SMPT vulnerability and although it looks like a simple list of actions, it took me 3 days to work all this out and fix it!

Best of luck to anyone else dealing with this hack.

]]>