Some members of the WordPress & Elementor communities have been freaking out over the last 48 hours after a popular plugin that extends the functionality of the popular Elementor page builder was compromised by hackers.
The attack crippled almost every website affected by redirecting their traffic to spam sites and malware download pages. This in all likelihood caused these websites to be removed from the major search engines.
Even worse, those without backups have lost their entire WordPress installation, meaning their website was ruined.
Yes, its extremely unfortunate for those affected, but it serves as a gentle reminder that there are people out there intent on making our lives hell.
This article takes a look at the attack, answers why WordPress is often a target for attackers, how poor security can lead to your removal from search engines and how to prevent your site from being compromised.
What is a zero-day vulnerability?
A zero-day attack happens when there is a vulnerability in software that even the creators of the software didn’t know about and weren’t able to patch.
The hackers exploited a vulnerability existed in the software’s design since long ago, before the software was even released.
Why is WordPress a target?
WordPress is often targeted by hackers for the same reason Microsoft is: market share. As the popularity of a particular software or platform increases, it becomes a bigger target for hackers as their pay off is likely to be larger than if they’d targeted something that is used less.
In the case of WordPress, dodgy plugins from inexperienced developers have been known to come with software vulnerabilities which can be exploited by hackers as we’ve saw with the PlusAddons attack.
What did this hack do?
The PlusAddons attackers did something called “privilege escalation”. The exploit allowed attackers to create new administrative accounts on vulnerable sites and gave them full control.
With control of the website, the attackers redirected inbound traffic to spam sites and malware download pages, meaning anyone attempting to visit these websites was exposed to risk too.
What does Google have to do with this?
The big search engines have incredible capability when it comes to detecting these sorts of problems. Googlebot and its Bing & Yahoo counterparts are constantly scanning and indexing web pages to update their “directories”.
When a reputable website in Sydney goes from selling dog food one day to illicit pharmacy items in Russia the next, Google knows that something is wrong. Once they’ve detected a compromised website, Google will remove it from the search engine until the issue is fixed and eventually, anyone navigating to your website will see a notice warning them that the website has been compromised.
While irritating and unfortunate, these measures are taken to stop the infected website causing any more harm.
What do I do if my website has been hacked?
If it looks as though your website has been compromised, its important to act quickly. Even if Google hasn’t blacklisted your website yet, with someone else in control of your website or server, it’s very possible that more harm can be done to the point where your website is irrecoverable.
You should immediately contact your website’s developer if you suspect your website has been hacked or alternatively, contact us for assistance.
Contact your hosting provider
You should immediately lodge a support ticket with your hosting provider to notify them that your site has been compromised. Describe the issues you are having and ask if they have been able to detect abnormal server activity.
If backups are included as part of your hosting service, request that they restore a backup from a time where your website was functioning normally, is possible.
If your host does not provide backups, check with web developer. A good web designer and developer will offer care and maintenance plans which will include routine backups.
If your website does not have back ups, well, you’re in serious trouble and you need to contact a professional.
Identify the issue
Check Google, check the news, check community forums, because it is very unlikely that you’re the only person that has been attacked, and even more unlikely that you’re the first to report the issue. By identifying the exact issue and nature of attack, you’ll be able to prevent the issue from reoccurring.
There are many cyber security organisations that monitor WordPress issues specifically. By identifying where exactly the issue has arisen from, whether it be a dodgy plugin, missing security update, a data breach or something else, you will likely find a guide on the steps that you need to take to rectify the issue.
It might be as simple as changing your passwords or patching a plugin, or it could be more complicated.
Contact Google (if your website was penalised)
After you have fixed the security issue, the next step is to contact the search engines that blacklisted you and request a review. How this is done varies according to search engine, but we have included a brief outline of the steps required for Bing and Google
Request a review by Google
For Google, you need to:
- Log into your Google Search Console. You’ll need to register and verify your site if you haven’t done this already.
- Check the “Security Issues” section to see details of details of which URLs have been hacked.
- Request a review once your site is clean and secure.
With the above done, Google will check your site has been fixed and remove the “This site may be hacked” message and hopefully restore your website to the Google search results.
Request a review by Google
For Bing, you’ll need to:
- Log in to the Webmaster tools
- Under Reports & Data, find their Malware tool
- Request an appeal to start the process.
What’s the best way to keep your website secure?
Sometimes, there is just no way to stop an attack. There are security vulnerabilities in pretty much everything we do digitally. Like installing an application on your computer, it’s important to only install WordPress plugins from reputable sources and keep backups.
Keep WordPress and any plugins up-to-date (carefully)
Updates often have contain security patches and bug fixes, but you should be very cautious when updating plugins to ensure that they don’t break your website.
Plugin developers work independently from one another. Their focus is more on function than it is on compatibility with other plugins.
Updating a plugin is like replacing a part of working machine. If that part has changed in a way that affects other parts, the machine may malfunction and break.
Make regular backups!
Sometimes, disasters just happen. It’s likely that zero-day vulnerabilities exist in almost everything we use online, waiting to be exploited by anyone with the determination and resources able to crack it. The risk is, and always will be, there.
That is why it is absolutely critical to make critical backups of your website. In the event of a disaster, it is going to be much more cost-effective to restore your site from a backup then it will be to undo the damage caused by the malware.
When backing up your website, make sure to make a copy of your WordPress installation and your SQL database, and save them off-site. There’s no point keeping a backup of your website on the same compromised web server.
How can I be sure my website will stay secure?
It’s understandable that most businesses don’t have the internal resources to handle the maintenance and care that WordPress websites require to ensure their ongoing stability and dependability.
Topsite offers care and maintenance packages which include:
- hourly, daily, weekly or monthly off-site backups
- weekly plugin updates & compatibility testing
- uptime monitoring
- performance monitoring
- traffic reporting
These packages are designed to take the worry out of having a WordPress website. By trusting your WordPress agency to handle the technical aspects of WordPress disaster mitigation, you can sleep comfortably knowing that if something does go wrong, the damage is minimal.