If you have been following the WordPress community recently or, God forbid, your site got hacked, you have probably seen the threads in the Support section on WordPress.org. The threads are full of desperate users whose sites got hacked thanks to the Yuzo Related Posts plugin.
So, what’s the inside scoop on this security breach? What happened to all these websites and is there a way to fix the mess? Here’s the tea on the newest WordPress hack attack.
The cross-site scripting vulnerability
A few days ago, WordPress developers and site owners started noticing some strange behavior on their websites. As lauravink, one of the WordPress users, mentioned in a post on WordPress.org, sites that got hacked experienced redirected URLs to other non-secure, shady websites. Laura additionally mentioned that users are asked to allow browser notifications. This cross-site scripting vulnerability took everyone by surprise.
The cause of this non-standard behavior is a website security breach that happened thanks to the Yuzo Related Posts plugin, which has over 60,000 installs.
If, at first sight, this seems like a one-man job that can be fixed in half an hour, know that it isn’t. This cybersecurity break has left the WP community to deal with some serious repercussions. After users have deactivated and uninstalled the plugin, they spent hours “taking out the trash” that remained on the website, doing password and document changes.
How did this happen?
Well, it all started on March 30, 2019, when Yuzo Related Posts plugin was shut down, due to the “unpatched vulnerability”. From that moment, the plugin is not available for download. Unfortunately, the word didn’t spread like fire and developers around the globe were left in the dark.
Since the end of March, sites were getting hacked at full speed.
To stop this security massacre, Lenin Zapata, plugin author, stepped up.
Four days ago, he wrote a post in the Support section on the official WordPress.org website, encouraging users to uninstall the broken plugin immediately and delete any record related to this plugin from the database (in the wp_options table, the value yuzo_related_post_options). He also mentioned that the problem is not in the table of visits wp_yuzoviews, so there is no need to delete this record. (If you need some additional help solving this issue, check out how developers handle it, in a post on Stackoverflow.com.)
Our advice? Do as Zapata mentioned. Additionally, be sure to scan your website, update all the plugins (uninstall the ones that look suspicious) and clear cache. We would highly recommend you add plugins like Wordfence or Sucuri to your website, for some additional support. You can never be too safe.
Are there any other plugins you should worry about?
In the title of this post, we mentioned the YellowPencil plugin, a CSS style editor plugin that allows you to edit your website design quickly. This plugin has also come across security vulnerability.
It all started on the evening of April 10, when users noticed changes in their sites’ databases. Similar to the Yuzo Related Posts plugin, the “siteurl” and “home” rows in wp_option table were changed to another URL.
The guys behind this plugin noticed the breach on time and created a step-by-step guide. One of the steps is updating the plugin to the latest, 7.2.0 version, as all the other versions are not hacker-proof.
Since there have been some concerns in the latest period regarding Easy WP SMTP, Advanced Contact Form 7 DB, WP GDPR Compliance plugins, our advice is to fully scan your website, (even if you don’t use the mentioned plugins).
Having a hacked website is not as scary as it sounds, but it requires your immediate attention and reaction. If you noticed some unusual behavior be sure to scan your website and take care of the issues (if there are any). If you cannot handle the mishaps yourself, please don’t panic. The WP community is full of WordPress developers that are always willing to give you a hand. Good luck!