HACKED: Two Top WordPress Security Plugins Failed
Three days ago two WordPress sites of ours, were hacked via YUZO Related plugin (60.000+ installations worldwide). Both sites were updated to WordPress 4.9.10 and some very popular security plugins were active. Actually each website was running a different security plugin and BOTH totally failed in their mission.
First WordPress site (this site)
At some point i got a new user registration notification named “wp_updates” with an email “wordpressupdate [@] yandex.com”. At first i thought that some spammer just registered but when i checked the user record, i saw it was in Administrator role and the IP logged … was mine.
(I use a WP plugin to register the IP of new accounts).
That was really strange and i deleted the account. After a while the user was created again with the same email, admin role and my IP.
Scratching my head for a while, i finally realized that the user was created each time i logged in to the WP dashboard, meaning some file or database was infected. I had at the time no idea how this happened but a few hours later we found Yuzo related plugin to be the source.
This is the most interesting part: Doing some tests with login and out, i was BLOCKED by our security plugin because
This is funny because i was blocked AFTER the admin account was created. So our Security plugin and firewall TOTALLY FAILED. It didn’t protect us from the initial attack that modified our database (YUZO Related WP_Options) and planted the script. Instead of blocking the initial attack, i was blocked after the site was infected. Go figure. Even if the attack pattern was not recognized, the creation of a second Admin account out of the blue, should be considered a security risk by the plugin.
Second WordPress site
The second hacked site was running a different security plugin (extremely popular, the N1 i guess). It was also hacked via YUZO Related plugin in a different “way”, no user was created but clicks were redirected to some other sites. So this popular security plugin also failed to protect the WordPress site.
Visiting their WordPress.org forum (out of curiosity) i saw some official post saying that users are protected from Yuzo related vulnerability. But a user replied that he was hacked, even using their security plugin. So do we. Nahhhh …..
The verdict is that no matter how well protected you may think you are, YOU ARE NOT. The hackers are always a step ahead of the firewalls and security plugins.
We were able to restore both sites from backups in less than 4 hours, including some DB clean-up. I lost a couple of really good comments here, but that’s alright since it is just a hobby.
Does that mean that all WordPress security plugins are worthless? Of cource not and you should definitely have one activated. The security plugins offer some degree of protection, mostly for well known old patterns and attacks.
The BEST Security protection you can have is a GOOD backup strategy.
And something about Yuzo Related plugin and WordPress.org plugins directory. If a plugin is disabled for some serious reason, a warning should be also displayed to us (the webmasters). How should we know that Yuzo (or some other plugin) had security issues? Now, i’m pretty sure thousands of websites are hacked and the owners have no idea about it.
(I try to find some information posted on the Internet and the Forums related to what happened in our First site. And i find nothing at all. I only find posts about what happened to the Second site, the highjacking of links. That could only mean that admins and webmaster DO NOT KNOW that Admin accounts were created. So if you read this, check how many Admin accounts you have.)