nareshchandranatha

Ah, it was a vulnerability with wp-automatic that was reported August 20th and fixed later that week.

Looks like they could set any WordPress option…

I speculate that they changed admin email so they would receive a verification email informing them of vulnerable sites.

Then they follow up changing the url, which lets them see what plugins and versions you use. All the css and js files for your extensions get remapped to their domain and the version number is in the url for cache. Wow

Then they can use a more specific attack if their scanner sees that you’re using a vulnerable plugin.

• This reply was modified 3 years, 6 months ago by nareshchandranatha.

Hey Arslan, thanks for the reply.

It was an existing account. We changed the email address back to the original and everything seemed okay.

Three hours later, something updated the siteurl and home URL of most of the sites to a shady malware page covered in ads.

WordFence still shows zero detections. Haven’t found anything manually in the logs or plugins. Very confused.

“WordFence” is a great plugin. It’ll compare your website to a fresh download of WordPress code to see if anything is modified. It also scans all posts, plugins, themes, etc for malware.

See what it comes up with and let us know if you need any more help!