So, I’m sitting down to my dinner on Monday night (spaghetti Bolognese, in case you were wondering) and I get a text notification on my phone from WP Eagle to say a new user had been registered. Now, we don’t allow anyone to create a user account on WP Eagle so immediately it didn’t seem right. With dinner back in the oven, I dashed to my computer to find out what the heck was going on.
Sure enough there was a new admin user listed with an incredibly dodgy looking user name and email address. Alarm bells were ringing loud and clear by this point. It was looking like WP Eagle had been hacked. Now, I thought that WP Eagle was nice and secure. We are using the Wordfence firewall plugin and observing all the other security basics that we should be as standard. Or so I thought…
I immediately deleted the user and updated any plugins that needed it. I then got in touch with the Phil who looks after WP Eagle on a VPS server at Spiderweb. Phil confirmed that the hackers had managed to get in because of vulnerability in one of the plugins. The Easy WP SMTP plugin to be exact. And as it transpires, the vulnerability was known and had come to light a few days before. So, it had taken the hackers literally just a few days to exploit the hole in the plugin on my site and thousands of other websites globally.
What to do when your site has been hacked
Luckily Phil was on the ball and was able to send me an article that detailed the steps I needed to take to fix the problem, including updating the plugin, changing all the passwords and scanning ALL the files to make sure the hackers hadn’t uploaded any backdoors.
Once I’d followed all of the recommended steps I tried to send a test email from the site. And was blocked. A message from my hosts SMTP server confirmed that I had been blocked due to some dodgy activity on my account. So, for the short time the hackers had access to my account, they had used it to send out a shit-load of spammy and dodgy emails. I had to get in touch with my SMTP host and assure them that I had taken all available steps to fix the problem and to prevent it from happening again and they resumed the service almost immediately.
Just to be sure that the issue was fixed, Phil installed an earlier, pre-hack backup of the site to make sure that there were no nasty surprises hidden in the file directories. He also ‘hardened’ WordPress by changing file permissions and blocking script and some other very clever, technical things. If you’re interested, you can find a guide on how to harden your WordPress site here.
Let this be a lesson to you. WordPress will always be just that little bit more open to attack. You might think your WordPress site is as secure as it can be but something as simple as not immediately updating your plugins could have catastrophic consequences! If we had updated the plugin in a timelier manner, we could have avoided this headache.
If you've been affected by the Easy WP SMTP plugin vulnerability these links will help:
ALWAYS KEEP YOUR PLUGINS & THEMES UP-TO-DATE!