Are you running WordPress and Elementor? Did your website start redirecting people to spamming sites? On March 8, 2021, there was a 0 day cyber attack on The Plus Addons for Elementor. It was horrible.
This is why I say, it is important to
- Backup your website daily. ALWAYS
- Keep your website patched. ALWAYS
The Plus Add-ons for Elementor is fully patched in version 4.1.7. It looks like the vulnerability was against anyone running version 4.1.6 or earlier. How do you know if you have been hit? You will most likely see a new administrator user created in your WordPress. Then users were being directed to a different site.
The crazy thing? The FREE version of the Plus Addons for Elementor has no issues. Zip. The paid version has some logon addons, which fell vulnerable.
I Have Been Hacked. Now What?
Save yourself time and headache. Just restore. Restore your site to the backups dated before March 5th, 2021. Once the restore is complete, quickly upgrade the One Plus Addons for Elementor plugin. Or better yet, just delete it.
The manual way? Don’t have a backup? Then get a backup strategy in place pronto or use a hose like Wpengine who already includes it. But, yes.. you can manually restore. According to the developer of the Plus Addons for Elementor, you can do the following
1. Delete WP-Includes, Wp-Admin (This is same for all) 2. Delete All Files in Public Html Apart from Wp-Content and Wp-config.php . 3. So now you are left with Only Wp-Content and WP-Config.php > in Wp-content Only check this index.php and delete the suspicious lines. 4. In Wp-Content/Plugins Delete all the Sub-folders (We have to Reinstall once we get wp-admin access fresh) 5. In Wp-Content Delete all Themes. And Import the Zip of your Theme a Fresh one in this folder. Eg. If you Use Hello Elementor Extract the Zip and Paste it theme Folder. 6. Now Get a Fresh WordPress ZIP from Here. Extract this in your directory and delete wp-config and wp-content folder and cuz have our Old Ones. 7. Access your PhpMyAdmin and open wp_Users and delete all the admins (common Emails: firstname.lastname@example.org, email@example.com) 8. In Wp_Post Search for "scripts" and delete them. [If you face difficulty here Please check the Video Link-( https://youtu.be/gViVT102m8w?t=195 )from the duration set for the next 5 Mins avoid the other Half because this 10-Step Guide will clean the FTP files easily for you ] 9. Make sure in Wp_Option In site URL and Home you have your Site URL
Back up and Running, Now What?
First and foremost, take a fresh backup of the system. Keep an eye on it, look for unusual traffic. Make sure the site is completely up to date with WordPress plugin and patches.
If you don’t have a backup system in place, that is daily, get it.
There are software firewalls that can be used to help mitigate these problems, such as Wordfence.
Lessons learned. Remember, keep your website up to date.