PayPal Standard WooCommerce hacked

  • Resolved Adrian

    (@wadoadi)


    1 year, 1 month ago

    I have a site that I look after FOC as all money goes to a local hospice, we don’t use PayPal instead it is COD only. For around ten days periodically the settings were being changed, and I assumed it had been hacked. They enable Paypal Standard in WooCommerce and enter an address to receive payment (never the same address).

    I have ensured all plugins are up to date, and after the first occurrence I installed the Free version of WordFence as was recommended and ran a scan, all was good. but it still gets hacked.

    I have looked through the site and so did the hosting company and we can’t see anything obviously wrong.

    After the hack last night, I have hopefully disabled PayPal standard by adding the following:

    add_filter( ‘woocommerce_should_load_paypal_standard’, ‘__return_false’ );

    But it would be good to know how it is happening, and how they are getting around WordFence, so I can close the door, any help would be gratefully received!

Viewing 1 replies (of 1 total)
  • Plugin Support wfmark

    (@wfmark)

    Hi @wadoadi, thank you for reaching out to us.

    Wordfence protects against a vast variety of web attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system is hard to say. Some plugins contain vulnerabilities that are new (commonly referred to as “zero days”) and no one has written a signature for it yet.

    Regarding how they gained entry, here are some possible scenarios:

    1. Are there other sites hosted on the same hosting account? If so, they could have been infected and spread the infection to this site
    2. You may be using a plugin or theme with a vulnerability that is so severe that we cannot protect against it
    3. Your wp-config.php file is readable to the hacker, either directly via your account, via a vulnerable plugin or via another hacked site on the same server
    4. The hosting accounts on the server are not properly isolated on the server so the hacker has access to your database via another user’s database
    5. The server software has vulnerabilities that allow the hacker to get root access
    6. You were actually hacked many months ago, but the backdoor was not activated until now
    7. You have a compromised hosting account (Change your password immediately)
    8. You have  a compromised FTP/SSH account (Remove any accounts you don’t need and change the passwords on the ones you do)

    Please note that these are just possible scenarios, you may need to look at the logs to identify the intrusion vector.

    You can clean the site by using the following guide: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    As a rule, any time I think someone’s site has been compromised I tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this because attack vectors around your hosting or database environments are outside of Wordfence’s influence as an endpoint firewall. Ensure the your WordPress Core version is up to date.

    Additionally, you might find the WordPress Malware Removal section in our free Learning Center helpful. https://wordfence.io/TheMoreYouKnow

    If the issue recurs, I would recommend that you get the site cleaned, there are paid services that will do it for you. Wordfence offers one, and there are others. Per the forum rules, we’re not allowed to discuss Premium here, but please reach out to us at [email protected] if you have any questions about it.

    Regardless, if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    I hope this helps.

    Thanks,

    Mark

Viewing 1 replies (of 1 total)
  • The topic ‘PayPal Standard WooCommerce hacked’ is closed to new replies.