Security challenges appear all the way and the latest hackers are exploiting a vulnerability in a wordpress plugin Which culminate, is designed to limit users' access to WordPress capabilities and better control their permissions.
If you have a blog, online store, presentation site running WordPress and the module PublishPress Capabilities, it is good to check if not in Dashboard → Users → All Users → Administrator, nu apar si utilizatori pe care nu-i cunoasteti si de cele mai multe ori cu nume de forma “wpuser_sdjf94fsld“.
I met this hack on several online stores and I quickly concluded that their only common element is plugin PublishPress Capabilities, which presents a vulnerability that allows the add of a user with administrator's rank, without the need for a standard recording process.
On some affected WordPress sites, the attackers were satisfied only to add the new users with the rank of administrator, without breaking. Or maybe they didn't have time.
On others instead they have been made redirectionari ale WordPress Address (URL) and / or Site Address (URL) to external pages and most likely viruses. Sign that those who launched these attacks had little mind. This is the best part of this security problem.
Of course, there is no pleasure to wake up that the online store, the website or the blog are redirected to other web addresses, but the good part is that the mummant who took control, did not do other damage. Gen, to delete content, inject spam links throughout the database and other crazy. I don't want to give ideas.
How do we solve the security problem if we were affected by WPUSER_ exploit on WordPress?
Luam scenariul in care blogul WordPress a fost afectat de hack-ul “wpuser_” si redirectionat catre o alta adresa web. Deci clar nu mai puteti sa va autentificati si sa ajungeti in Dashboard.
1. We connect to the database of the affected site. Via phpmyadmin or what management path does each have. Database authentication data is located in the file wp-config.php.
define('DB_USER', 'user_blog');
define('DB_PASSWORD', 'passworddb');2. We go in “wp_options” iar pe coloana “optons_value” ne asiguram ca este adresa corecta a site-ului nostru la “siteurl” and “home“.
From here the redirection to another address is practically done. After changing with the website address, it can be accessed again.
3. Tot in “wp_options” verificam ca adresa de mail admin sa nu fi fost si ea modificata. Verificam la “admin_email” sa fie cea corecta. Daca nu este cea corecta, o modificam si trecem adresa legitima. Aici am gasit “admin@example.com“.
4. We go to Dashboard and update urgently to the plugin PublishPress Capabilities Or we deactivate and delete it from the server.
5. In Dashboard → Users → All Users → Administrator We delete illegitimate users with the rank of administrator.
6. We change the passwords of the legitimate users with administrator rights and the password of the database.
It is advisable to install and configure a security module. Wordfence Security Provides sufficient protection in the free version, for such attacks.
I didn't stay too long where exactly was the vulnerability in PublishPress Capabilities, but if you have Virusat the site with this exploit can help you get rid of it. The comments are open.
See this post for more on this topic: https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/