ahall41

I just notice this issue on one of my sites, and that it relates to the Elementor upgrade.

There is a github issue open which relates to this: https://github.com/elementor/elementor/issues/15903

Thanks for the reply. I suspect we may have been hacked before we installed Wordfence … all the plugins we have now seem to be respectable. The spurious user has been removed – only 3 have access to create/update posts. All we can do is wait and see (except I think I should also add a trigger to prevent creating posts with <script> tags.

Not sure if this is significant, but I’ve detected a user wordpressssadmin ([email protected]) role=None. Now removed.
Also we’ve been having quite a few login attempts using real admin usernames. Even though I’ve changed them, the new names are appearing in the failed attempts list. ” Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API” is ticked, and the IDs don’t appear in a posts or pages that I can see. Which makes me suspect something is acting from the inside?

I added the following triggers.

CREATE TRIGGER trg_update_wp_options BEFORE UPDATE ON wp_options
  FOR EACH ROW
     IF (NEW.option_id IN (1,2)) THEN
	   SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Cannot update locked record';
	 END IF
/

CREATE TRIGGER trg_update_wp_posts BEFORE UPDATE ON wp_posts
  FOR EACH ROW
     IF (NEW.post_content LIKE '%<script%>%') THEN
	   SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Script not allowed in post';
	 END IF;
/

Just need to see if anything appears in error.log