WordPress has driven my online business for the last seven years and is arguably the most essential tool in any SEO’s arsenal.
With an estimated number of installs topping 455,000,000, 35% of website owners apparently agree.
Countless plugins and theme combinations make it the perfect platform for the less “tech-savvy” to bring their ideas to life and put them in front of an online audience.
Sadly, this also makes WordPress a target for unscrupulous “black hat” marketers who hack their way into your site to make it do something it’s not supposed to — a feat they recently achieved on a big scale.
As an Elementor Pro user, there’s a chance you’ve already been bitten…
And you’re probably none the wiser.
On May 6th, Wordfence published this article explaining how 1 million sites could be at risk from an active attack.
Attackers were using a weakness in the security of Elementor Pro to maliciously redirect your visitors to their own sites or even take control of your website altogether.
The Elementor team was quick to patch the flaw, and users were encouraged to update to the latest version as soon as possible.
The update provided peace of mind for many — myself included — until I discovered that the attacker had already gained access to a large number of the sites I manage and that the update wouldn’t make the slightest difference.
If your site has already been compromised, updating will NOT fix it.
When successfully executed, this particular attack installs a webshell called “wp-xmlrpc.php” (it’s named this way to blend in with your system files)
A webshell gives the attacker full access to your site and often your server, meaning they can:
Not to mention, if you’re using WooCommerce, the attacker may have access to some of your customer data.
You don’t have to be a technical wizard to find out whether your site has been affected.
Just follow these steps:
A new user on your site is usually the first sign that someone has tried to exploit the Elementor Pro vulnerability.
A dead giveaway is if you received an email from your WordPress site informing you a new user was created around the first week or two of May.
Firstly, log into your WordPress admin area using your admin account, and navigate to “Users.”
Check for any suspicious or unknown usernames.
WebARX security published a list of all of the known usernames used in the attack so far.
If you see one of the usernames in your panel — jump straight to If You’ve Been Hacked.
Important: Just because there’s no suspicious username doesn’t mean your site is safe.
You can examine your WordPress files using FTP / SFTP / File Manager.
In your WordPress root folder (usually the first folder you see when logging in), look for a file called wp-xmlrpc.php.
If this file exists, the attacker has been successful in gaining access. Just deleting the file at this point is unlikely to be helpful.
You should also check /wp-content/uploads/elementor/custom-icons/
Any files in here that you don’t recognize as something you uploaded were probably planted there by an attacker.
Specifically, look for:
If you use a managed WordPress host such as WPEngine, WPX Hosting, SiteGround, etc., they will usually be able to do this for you.
This is usually preferable to running your own scan using Wordfence or Sucuri, as your host may have access to scan system files these plugins would otherwise miss.
Popular free WordPress security plugins are usually able to detect a change in WordPress core files — but don’t interpret a clean scan result as a guarantee that your site is safe.
A Firewall usually protects paid subscribers of such tools, and there’s a higher chance the attack failed.
Have you visited your own site lately and been redirected to another?
Exactly how this malicious redirect works remains unknown.
Visit your site using these methods:
If any of these result in a redirect to anything but your own website, you’ve probably been hacked.
Many web hosts offer 14-30 day backups. Hopefully, this article will find you in time if you’ve been affected, allowing you to roll your site back to an earlier date prior to the attack.
Note: if your backups are stored on your server using something like Updraft, there’s a chance they’ll be infected too.
By default, WordPress won’t show user registration dates and times.
Install a plugin called Admin Columns.
In the plugin settings, enable the ‘Registration’ column for ‘Users’.
Now when you navigate to the WordPress ‘Users’ page, a new column will display the date the malicious user was created.
Alternatively, if you have your server access logs, you can search for the entry for “wpstaff.php”.
Roll your site back to a backup created before the date and time of the attack.
Once the backup is restored, update your plugins as soon as possible to prevent another attack.
Then, check again for the user and the malicious files.
If you have a managed host such as the ones listed above, talk to their support about the security measures and whether they offer malware cleaning.
Hosts such as WPX Hosting and WPEngine include this for free with all packages.
Many “done for you” malware removal services have already reported on the recent Elementor Pro issue.
Some are listed here, please do your own research as I have not personally tested them, nor am I affiliated:
It seems like a drastic measure, but if you were thinking of rebuilding your site anyway, now is a perfect opportunity to start from scratch.
That way, you know for sure you don’t have any malicious files lurking in the background.
Just make sure to use a different install or hosting account.
It’s tough to prevent a hack when you don’t know in advance which plugins contain vulnerabilities.
Some basic tips for preventing future hacks:
Was your WordPress site hacked?
How did you tackle the problem?
Let us know in the comments.
Like the article? Read some more:
0 Social Signals
I've read and accept the Terms & Conditions*