We’ve noticed several WordPress web sites that have been hacked through a vulnerability in the plugin “WP GDPR Compliance“.
This plugin has become very popular since the new release of the GDPR (General Data Protection Regulation) law from Europe.
The attackers gain write access to the database through a privilege escalation vulnerability, in versions up to 1.4.2. This was already fixed in version 1.4.3, so we encourage averybody to update your plugin immediately if you have not yet done it.
The symptom of this infection is that your WordPress “siteurl” has been changed by the attacker, so your web site gets redirected to another web site domain.
As the “siteurl” has been changed into the database options table, the web site owner cannot even login, because the login form redirects to the new changed domain.
A simple solution is to open phpMyAdmin (or your any other database editor), go to the options table and restore the “siteurl” and “home” fields to your own site url domain. Then login to your site, update the plugin and clear the cache, in case you have any cache system in place like WP Rocket (the one we use; follow the link to purchase our WordPress Speed Package), WP Fastest Cache, WP Super Cache, W3 Total Cache or any other…
You also have to delete a malicious file called “wp-cache.php” in the root of your WordPress installation.
Please check also if you have any new suspicious users created recently and delete them as well.
We recommend you to have a look at the Sucuri blog post entry to read more information.
In order to prevent such situations, we recommend you to contract our WordPress Security Package and an annual subscription to one of our SiteLock plans. The “Defend” plan is the one that will keep your site more protected. Please have a look and ask us without any commitment.