Hi,
I had an issue since last May 2019, my site was redirected and therefore hacked. There were quite a few admin users added in just a few days.
I had installed iThemes security with brute force protection and host lockouts. This all didn’t prevent the issue.
- restored the site to before 30 May
- changed admin users names and passwords
- rechecked all iThemes settings and even removed backend standard url (wp-login url)
- installed IQ block ip plugin. Limited countries hat could access the backend and front end
No change. In a day another admin user was added! Although less with step 4.
- installed anti spam by CleanTalk plugin. Then it stopped the adding of admin users.
After a long two weeks of this issue, I finally found the culprit:
Affected Plugin: Convert Plus
Plugin Slug: convertplug
Affected Versions: <= 3.4.2
Patched Version: 3.4.3
My issue:
I haven’t looked at theme X for two years. Plugins that are included in the theme used to be updated when a new theme x was pushed (so over time plugins are updated by the plugin developer, but not theme X … yet). So an annoying update notification will appear in the plugin folder, which you can’t update… so I thought.
Solution:
I deactivated and removed the convert plus plugin version 3.4.1. And installed it again for the Theme X plugins overview. Version 3.4.4. Was installed. I guess that solved the vulnerability.
Question: how are plugins to be updated these days with theme x?
A) by a theme X update
B) through the standard Wordpress plugin menu
Thanks