Few days ago I was hired to clean-up a hacked WordPress page that was affected by the security issue in the WP GDPR Compliance plugin.
The attacker created a new admin user and changed/uploaded some files to WordPress. For that reason I decided to delete the complete WordPress instance, upload a fresh one and re-install the plugins from scratch.

To my surprise two days later another admin user popped up and again the WordPress instance was compromised.
I analyzed the web server log files but could not find the point of entry that the attacker could have used. The installed plugins were all up to date and there were only four of them.

In the end the attack point was as simple as it could be. During the first attack the intruder changed the WordPress settings to redirect the visitors to another domain (Options “siteurl” and “home”). But he also changed two settings that are not that obvious at first sight when you don’t expect it.

Under “Settings” -> “General” the attacker checked the previously unchecked box “Membership: anyone can register”. This is not a problem. I have this active on some sites too. But the attacker also changed the “New User Default Role” to “Administrator”. From this moment everyone who registered an account on the website was granted administrator rights immediately.

So if you have been hacked, please always check the WordPress settings very carefully!

Checking the WordPress settings after cleaning up a hacked or infected website

Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.