Security challenges appear all the way and the latest hackers are exploiting a vulnerability in a wordpress plugin Which culminate, is designed to limit users' access to WordPress capabilities and better control their permissions.
If you have a blog, online store, presentation site running WordPress and the module PublishPress Capabilities, it is good to check if not in Dashboard → Users → All Users → Administrator, there are no users that you do not know and most of the time with name names “wpuser_sdjf94fsld“.
I met this hack on several online stores and I quickly concluded that their only common element is plugin PublishPress Capabilities, which presents a vulnerability that allows the add of a user with administrator's rank, without the need for a standard recording process.
On some affected WordPress sites, the attackers were satisfied only to add the new users with the rank of administrator, without breaking. Or maybe they didn't have time.
On others instead they have been made redirectionari ale WordPress Address (URL) and / or Site Address (URL) to external pages and most likely viruses. Sign that those who launched these attacks had little mind. This is the best part of this security problem.
Of course, there is no pleasure to wake up that the online store, the website or the blog are redirected to other web addresses, but the good part is that the mummant who took control, did not do other damage. Gen, to delete content, inject spam links throughout the database and other crazy. I don't want to give ideas.
How do we solve the security problem if we were affected by WPUSER_ exploit on WordPress?
We take the scenario in which the WordPress blog was affected by the hack “wpuser_” and redirected to another web address. So clearly you can no longer authenticate and get to Dashboard.
1. We connect to the database of the affected site. Via phpmyadmin or what management path does each have. Database authentication data is located in the file wp-config.php.
define('DB_USER', 'user_blog');
define('DB_PASSWORD', 'passworddb');2. We go in “wp_options” and on the column “optons_value” We make sure it is the correct address of our site to “siteurl” and “home“.
From here the redirection to another address is practically done. After changing with the website address, it can be accessed again.
3. Up to “wp_options” We check that the admin email address was not modified. We check at “admin_email” to be the correct one. If it is not the correct one, we change it and pass the legitimate address. Here I found “[email protected]“.
4. We go to Dashboard and update urgently to the plugin PublishPress Capabilities Or we deactivate and delete it from the server.
5. In Dashboard → Users → All Users → Administrator We delete illegitimate users with the rank of administrator.
6. We change the passwords of the legitimate users with administrator rights and the password of the database.
It is advisable to install and configure a security module. Wordfence Security Provides sufficient protection in the free version, for such attacks.
I didn't stay too long where exactly was the vulnerability in PublishPress Capabilities, but if you have Virusat the site with this exploit can help you get rid of it. The comments are open.
See this post for more on this topic: https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/