A warm hello to all WordPress owners among you, especially those who collect leads.
For this need, there is the practical little plug-in "Convert Plus", which is already pre-installed in many themes and already has over 100,000 active installations. The Convert Plus plug-in aims to convert more subscribers, leads and members with the help of Pop-upsheaders and footers, forms, slide-ins, widgets in the sidebar and the like. Pop-ups to generate.
Sounds all well and good, but what's the problem?
How my website was hacked in just 30 seconds
This morning, as I was leisurely checking data from my current website with a coffee in my hand, I saw a surprising email in my inbox. Take a look at it:
At first I mistakenly thought that I might have generated a lead via my newly installed "Covert Plus" plug-in. However, this seemed strange to me, as the campaigns set up had nothing to do with user registrations.
For this reason tested me then in my WordPress interface, under the tab UserI wondered who this strange Samuel might have been. When I got to the user tab, I was almost struck by the fact that it had nothing to do with my Covert Plus plug-in. By some method, someone managed to remove my page from Hack WordPress and to be able to create a new userwith admin rights. With a mix of terror, confusion and the whimsy of a morning grouchI deleted this user as quickly as I could again.
Completely perplexed and shocked, I asked myself, How the hell did this guy get into my website? You hear a lot about hacking and read a lot online, but it's rare for something like this to actually happen to you.
Since there are many ways into a WordPress website, I first implement the basics as quickly as possible:
- New log-in path (You should never leave it at /wp-admin in any case!)
- Password change in WordPress
- Password change in hosting
- New password in FTP
- 2-factor authentication in hosting
- 2-factor authentication in WordPress
- Update all open plug-ins
- New password for the database
Here remained only the Updates of the usual plug-ins included in the theme openanyone who uses a Themeforest theme will be familiar with it. The usual suspects include Plug-ins like WP Bakery Page Builder, Ultimate Addons for WPBakery Page Builder, Convert Plus and similar plug-ins. They actually require an individual license, but are automatically included in many themes. Without a license, these can be used, but cannot be updated manually.
Since I trust these plug-ins more for some reason, probably because they are paid, I was less worried at this point that someone could hack my WordPress account with their help. After I had taken all the measures mentioned above, I thought I had averted the danger.
- Wrong thinking.
- The laptop made a pinging noise.
- A new mail flutters in:
"Damn axe" - I thought to myself.
"THIS CANNOT BE" - went through my head.
"Now there won't even be any more pee breaks until this is resolved" - I thought to myself.
"One Wordfence plug-in to go, please."
After investing in the PRO version of Wordfence, I took a look at the live tracking:
A Dutch IP with a Russian hostname is actually messing with my admin files.
When I saw with a questioning look: "/wp-admin/", I knew I had to get the Ban hammer in the direction of the Netherlands fly.
Phew, that felt good. But the question is, did it do any good?
Yes, it has.
The person tried to access my site via another IP address, but as this was in the Netherlands, he was unable to do so.
Important: A country ban will never be enough. Anyone can access VPNs at will to get an IP from another country. This meant that the attacker could have simply proceeded as they wished. It therefore seemed logical to me, especially after consulting a few fellow sufferers, that it must be due to a plug-in.
The culprit: the Convert Plus plug-in
After a small discussion in the Online Marketing-groups, there were many different approaches. So I checked to see if there was any news about plug-ins I was using - and lo and behold:
May sound strange, but after reading this, I was reassured. Nothing is worse in such a situation than not knowing where the problem lies.
Now deleted I straightaway, the just mentioned Convert Plus Plug-in and took a look at the official site to see if there was a Update on this problem would exist.
In a official contribution from Wordfence this problem has been explained in more detail for anyone who is interested. Wordfence also makes it clear that the developers of Convert Plus immediately responded to this bugwithin a few days, the Update plug-inand it in a separate article shared with their users.
Furthermore the team of Wordfence showed in your contribution even exemplarily with a Video on how this hacking process took place. Here, one realizes for the first time how fast and simply someone can gain access to your website. It just had to be a Vulnerability in plug-ins and it was already possible for people to hack your WordPress account. Creepy, but important to know.
So you have two possibilities, if you use the Convert Plus plug-in in the Version 3.4.2 or earlier, namely UPDATE or DELETE.
And the moral of the story ...
- "Too many plug-ins, don't install them".
- "You don't use outdated plug-ins."
- "Wordfence and 2-factor authentication, you better use it, you wretch."
- "People from the Netherlands are not trusted" (Joke)
- "An alternative login path is nice and simple"
But joking aside. You hear so often that it is important to Keep plug-ins up to date. This example should show you that this statement is really true - and not just about Agencyused to charge customers running costs for "maintenance".
Fortunately, I spend almost every waking hour in front of my laptop as a workaholic nerd and was virtually there live when an attempt was made to infiltrate my site. In this case, if you can imagine the Video from Wordfence looks at, really took only 30 seconds to create an admin account. You can see how this was/is possible in the following video:
That was highly dangerous and could have gone really wrong. Please also learn from the mistakes that others make for you (in this case, me) and set the best today the above Security settings for all your important web projects.
Prevention is better than cure, but you usually only learn that when it's too late.
Be smart, stay safe and thanks for reading!
Happy weekend to you!
Best regards with aching eyelids,
Niels