The last 27th august, a friend of me has been victim of a hack on his e-commerce website. Bay it quickly, it was the panic, when you see in the morning your home page changed to this:
Defaced Homepage
How this can happen?
Fabrice, my friend had yet put WordPress, its premium theme and plugins up to date! He then told me he did not understand how this can be possible!
Well, do not think that being up to date is enough to have no vulns, once 100% up to date, you will not be a victim of known vulnerabilities, BUT not yet known vulnerabilities are already present, it takes timeto someone discovers them, inform the author (WordPress plugin, theme), corrects it, and you do the update again.
But there is a category of people who, once discovered a flaw, not going to say anything and try to take advantage of these vulnerabilities to hack you.
There is still another problem like the title said: plugins included in premium themes!
Why ?
Some premium themes highlight the fact that it offers, Stuffoobar v2.0 plugin, which costs $19, you save some money!
This is false, or partly true. The plugin is not available, ONE plugin version is. The updates are dependent on you, you have to buy this premium plugin included.
If you do not do it, you won’t be updated and then you expose our website to possible security breaches.
I’m up to date!
Fabrice told me “I’m up to date!” but the plugin included does not indicate that an update is available … Fabrice had then bought this plugin, but did not find it helpful to replace the one included with the purchased version. Logical it’s the same!
No, the purchased one contains the code that indicates that an update is available … The site was live with a one month known flaw.
Expect at least that once a month, hackers launch their robots on an immeasurable number of WordPress site in order to exploit the latest vulnerabilities discovered.
I also invite you to follow the twitter account @SecuPress to be notified of these new vulnerabilities in plugins and themes.
How does this flaw works?
I won’t give too many details, the goal is not to learn how to hack sites, my job is to protect the sites, I hate that someone can freely wipe the work of others …
The plugin responsible for this hack is “Revolution Slider” (I do not put a link on purpose) known to contain the flaw “File Download” since July 29th, 2014.
The flaw can target an installation file and download it while being a visitor. The hacker then targeted the wp-config.php file.
The suite is on the Fabrice’ blog: Piraté à l’insu de mon plein gré (fr)
What to do then?
It is important to know that the premium plugins included in the premium themes are only a fixed version does not allow you to update, that would be too easy!
If you use this plugin, so get it to protect you in case of a future flaw discovered.
Marie-Aude also talks about it on her blog : ThemeForest : mettez Revolution Slider à jour vers la 4.5.9 et vérifiez vos plugins ! (fr)
And what to do after a hacker, it’s a long answer and a long process. Fabrice had already begun work but preferred to hire a professional (me) to sleep on his two ears, and ensure that the steps have been followed.
Action/Réaction
Envato reacted and turned off all the themes then do not offer the latest version of the plugin Revolution Slider. Read their post if you suspect you have a theme containing the plugin.
Up to you!
Check now that you do not have RevSlider or Revolution Slider in your site, and if you have premium plugins “free”, buy or use them at your own risk.
