HACKED: Two Top WordPress Security Plugins Failed

Three days ago two WordPress sites of ours, were hacked via YUZO Related plugin (60.000+ installations worldwide). Both sites were updated to WordPress 4.9.10 and some very popular security plugins were active. Actually each website was running a different security plugin and BOTH totally failed in their mission.

First WordPress site (this site)

At some point i got a new user registration notification named “wp_updates” with an email “wordpressupdate [@] yandex.com”. At first i thought that some spammer just registered but when i checked the user record, i saw it was in Administrator role and the IP logged … was mine.

wordpress_yuzo_related_hacked

(I use a WP plugin to register the IP of new accounts).

That was really strange and i deleted the account. After a while the user was created again with the same email, admin role and my IP.

Scratching my head for a while, i finally realized that the user was created each time i logged in to the WP dashboard, meaning some file or database was infected. I had at the time no idea how this happened but a few hours later we found Yuzo related plugin to be the source.

This is the most interesting part: Doing some tests with login and out, i was BLOCKED by our security plugin because

This is funny because i was blocked AFTER the admin account was created. So our Security plugin and firewall TOTALLY FAILED. It didn’t protect us from the initial attack that modified our database (YUZO Related WP_Options) and planted the script. Instead of blocking the initial attack, i was blocked after the site was infected. Go figure. Even if the attack pattern was not recognized, the creation of a second Admin account out of the blue, should be considered a security risk by the plugin.

The plugin we used at the time was Shield Security for WordPress.

Second WordPress site

The second hacked site was running a different security plugin (extremely popular, the N1 i guess). It was also hacked via YUZO Related plugin in a different “way”, no user was created but clicks were redirected to some other sites. So this popular security plugin also failed to protect the WordPress site.

Visiting their WordPress.org forum (out of curiosity) i saw some official post saying that users are protected from Yuzo related vulnerability. But a user replied that he was hacked, even using their security plugin. So did we. Nahhhh …..

The verdict is that no matter how well protected you may think you are, YOU ARE NOT. The hackers are always a step ahead of the firewalls and security plugins.

We were able to restore both sites from backups in less than 4 hours, including some DB clean-up. I lost a couple of really good comments here, but that’s alright since it is just a hobby.

Does that mean that all WordPress security plugins are worthless? Of cource not and you should definitely have one activated. The security plugins offer some degree of protection, mostly for well known old patterns and attacks.

The plugin we used at the time was Wordfence Security for WordPress.

The BEST Security protection you can have is a GOOD backup strategy.

And something about Yuzo Related plugin and WordPress.org plugins directory. If a plugin is disabled for some serious reason, a warning should be also displayed to us (the webmasters). How should we know that Yuzo (or some other plugin) had security issues? Now, i’m pretty sure thousands of websites are hacked and the owners have no idea about it.

(I try to find some information posted on the Internet and the Forums related to what happened in our First site. And i find nothing at all. I only find posts about what happened to the Second site, the highjacking of links. That could only mean that admins and webmaster DO NOT KNOW that Admin accounts were created. So if you read this, check how many Admin accounts you have.)

17 Comments

  1. in case anyone is having this issue and can’t track it down: WP Live Chat Support (by WP-LiveChat) was the culprit for me.

    There’s a vulnerability in older versions that allows hackers to inject custom code in the “Custom Code” section in the plugin’s settings. They announced it as well: https://wp-livechat.com/important-update/

  2. Hi,

    I am having exactly the same problem since today.
    Anyone knows how to fix this?

    Everytime the following user is being addes:
    wp_updates
    wordpressupdate @ yandex.com

    1. 1. Find the plugin that caused it and remove it
      2. Clean up. The “cleanup” depends on what plugin caused the problem.
      3. Install some protection plugin. Do you have one already ?

      and read all the comments below

  3. Thanks for the quick help. I just read through these articles.
    I don’t use any of these plugins. Really don’t know, where this is coming from.

    1. Read also the last one from Wordfence support forum.

      Is your hosting secure ? Do you use any security plugin ?

      The Shield ? Wordfence ?

      Those can help at a degree. Didn’t for me, still if you have an altered file they will find it. If your DB is injected with something, i have no idea how you can find it.

      But if you do not have ANY plugin for security start with that.

      Let me know if there is anything else i can do. Good luck !

    2. I figured it out. It was a plugin called “Blog Designer”. I deleted the plugin and now the website is working again.
      It really was the same issue you had, just with another plugin.
      Thanks again.

    3. Just be sure you clean well. Not sure what if infected (DB or Files) in your case.

      Good luck !!

  4. I just have the issue, which you had on your first WordPress site. I also already restored a backup from the server. However, a few hours later when I logged in again, the issue appeared again. Do you know how I can get rid of this?

    Thanks in advance.
    – Nico

    1. There is no need to do so. The point is that NO security plugin offers 100% or even 90% protection.

      A good backup strategy is the best security.

Comments are closed.