Site Possibly Exposed Due to Convert Plus
-
Roughly a week before the Convert Plus vulnerability, I woke up one morning to a Wordfence Email alerting me that some 2000 or so files were malicious. It looked like almost my entire site, and nothing stood out to me when I reviewed a few of the files. I assumed it was a bug and dismissed the warning.
Speed up a week later, and Convert Plus Vulnerability was exposed indicating that the plugin was allowing user creation and role elevation. That worried me a bit, but I didn’t think much of it, as we have ‘Anyone can register’ unchecked on this particular site.
About a day later, I’m getting a handful a day of Russian accounts registering to my site (with no role assigned). I’m slightly worried, A) because they’re able to register, and B) because we did have the vulnerable version running for a short period. We updated the day the update was available.
If I have nothing to worry about, which I’m assuming I still have some sort of issue, how can I prevent them from registering?
-
It sounds as though from your description that the large amount of scan results was a temporary glitch.
Due to the Convert Plus vulnerability then as a precaution you can run through our site cleaning guide below:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
With regards the accounts with no role assigned you may want to ask the Convert Plus authors if they can explain that behaviour.
Wordfence does now have a CAPTCHA option to prevent bots from registering, but only currently works for the default WordPress user registration page:
~/wp-login.php?action=register
- The topic ‘Site Possibly Exposed Due to Convert Plus’ is closed to new replies.
