Elementor Pro User? You Need to Read This!

WordPress has driven my online business for the last seven years and is arguably the most essential tool in any SEO’s arsenal.

With an estimated number of installs topping 455,000,000, 35% of website owners apparently agree.

Countless plugins and theme combinations make it the perfect platform for the less “tech-savvy” to bring their ideas to life and put them in front of an online audience.

Sadly, this also makes WordPress a target for unscrupulous “black hat” marketers who hack their way into your site to make it do something it’s not supposed to — a feat they recently achieved on a big scale.

As an Elementor Pro user, there’s a chance you’ve already been bitten…

And you’re probably none the wiser.

Elementor Pro Vulnerability

On May 6th, Wordfence published this article explaining how 1 million sites could be at risk from an active attack.

Attackers were using a weakness in the security of Elementor Pro to maliciously redirect your visitors to their own sites or even take control of your website altogether.

The Elementor team was quick to patch the flaw, and users were encouraged to update to the latest version as soon as possible.

The update provided peace of mind for many — myself included — until I discovered that the attacker had already gained access to a large number of the sites I manage and that the update wouldn’t make the slightest difference.

If your site has already been compromised, updating will NOT fix it.

What Could a Hacker Do With My Site?

When successfully executed, this particular attack installs a webshell called “wp-xmlrpc.php” (it’s named this way to blend in with your system files)

A webshell gives the attacker full access to your site and often your server, meaning they can:

• Add, change or remove content
• Insert links for SEO value
• Redirect your traffic to their own site
• Delete everything!
• …Pretty much anything else you can think of

Not to mention, if you’re using WooCommerce, the attacker may have access to some of your customer data.

How do I find out if I’ve been Hacked?

You don’t have to be a technical wizard to find out whether your site has been affected.

Just follow these steps:

1. Check WordPress Users

A new user on your site is usually the first sign that someone has tried to exploit the Elementor Pro vulnerability.

A dead giveaway is if you received an email from your WordPress site informing you a new user was created around the first week or two of May.

Firstly, log into your WordPress admin area using your admin account, and navigate to “Users.”

Check for any suspicious or unknown usernames.

WebARX security published a list of all of the known usernames used in the attack so far.

If you see one of the usernames in your panel — jump straight to If You’ve Been Hacked.

Important: Just because there’s no suspicious username doesn’t mean your site is safe.

2. Check Your Files

You can examine your WordPress files using FTP / SFTP / File Manager.

In your WordPress root folder (usually the first folder you see when logging in), look for a file called wp-xmlrpc.php.

If this file exists, the attacker has been successful in gaining access. Just deleting the file at this point is unlikely to be helpful.

You should also check /wp-content/uploads/elementor/custom-icons/

Any files in here that you don’t recognize as something you uploaded were probably planted there by an attacker.

Specifically, look for:

• wpstaff.php
• demo.html
• Read Mw.txt
• config.json
• icons-reference.html
• selection.json
• fonts.php

3. Run a Security Scan

If you use a managed WordPress host such as WPEngine, WPX Hosting, SiteGround, etc., they will usually be able to do this for you.

This is usually preferable to running your own scan using Wordfence or Sucuri, as your host may have access to scan system files these plugins would otherwise miss.

Popular free WordPress security plugins are usually able to detect a change in WordPress core files — but don’t interpret a clean scan result as a guarantee that your site is safe.

A Firewall usually protects paid subscribers of such tools, and there’s a higher chance the attack failed.

5. Visit your Site

Have you visited your own site lately and been redirected to another?

Exactly how this malicious redirect works remains unknown.

Visit your site using these methods:

• Use other browsers in Private / Incognito mode
• Visit your site using a proxy
• Click through to your site from Google or Social Media

If any of these result in a redirect to anything but your own website, you’ve probably been hacked.

If you’ve been hacked or you’re unsure

Rollback to a previous version

Many web hosts offer 14-30 day backups. Hopefully, this article will find you in time if you’ve been affected, allowing you to roll your site back to an earlier date prior to the attack.

Note: if your backups are stored on your server using something like Updraft, there’s a chance they’ll be infected too.

Finding out when you were attacked

By default, WordPress won’t show user registration dates and times.

Install a plugin called Admin Columns.

In the plugin settings, enable the ‘Registration’ column for ‘Users’.

Now when you navigate to the WordPress ‘Users’ page, a new column will display the date the malicious user was created.

Alternatively, if you have your server access logs, you can search for the entry for “wpstaff.php”.

Roll your site back to a backup created before the date and time of the attack.

Once the backup is restored, update your plugins as soon as possible to prevent another attack.

Then, check again for the user and the malicious files.

Managed Hosting Support

If you have a managed host such as the ones listed above, talk to their support about the security measures and whether they offer malware cleaning.

Hosts such as WPX Hosting and WPEngine include this for free with all packages.

Cleanup Service

Many “done for you” malware removal services have already reported on the recent Elementor Pro issue.

Some are listed here, please do your own research as I have not personally tested them, nor am I affiliated:

• https://www.wordfence.com/wordfence-site-cleanings/
• https://www.getastra.com/website-cleanup-malware-removal
• https://sucuri.net/website-security-platform/help-now/

Rebuild

It seems like a drastic measure, but if you were thinking of rebuilding your site anyway, now is a perfect opportunity to start from scratch.

That way, you know for sure you don’t have any malicious files lurking in the background.

Just make sure to use a different install or hosting account.

Preventing a Hack

It’s tough to prevent a hack when you don’t know in advance which plugins contain vulnerabilities.

Some basic tips for preventing future hacks:

• Use a managed WordPress host – they typically have malware scanning and removal, and harden their WP installs by default (by preventing the execution of PHP files in uploads folders)
• Keep Plugins, Themes, and WordPress Core up to date
• Use a security plugin. At the very least, enable Firewall and WordPress hardening.WordFence Premium, Sucuri, and WebARX are all good solutions
• Run WPScan or check WPVulnDB for vulnerable plugins and themes you might be using.

Was your WordPress site hacked?

How did you tackle the problem?

Let us know in the comments.