binary-2170630_1280

Slayers, this is important news if you’re currently using WordPress and have the WP GDPR Compliance Plugin installed. Thanks to a “privilege escalation flaw” in the plugin (as reported by WordFence), you are at risk of being hacked if you don’t have the latest version of the plugin installed. 

Long story short, this morning I was hacked on my travel blog, Happy to Wander because of this, so I can personally confirm it’s no joke! 

Here’s the good news: it appears pretty easy to fix if it does happen to you. Shoutout to my new hosts, BigScoots who took care of EVERYTHING in 20 minutes flat. Really saved me from some panic spirals.

Anyways, here’s some important info about the vulnerability. Feel free to circulate it in any blogging communities you think would benefit from the info. I really hope no one else gets hacked because of this.

How to check if you’ve been affected by the WP GDPR Compliance Plugin

  • Log into your WordPress dashboard at yoursite.com/wp-admin 
  • If you can log in, that means the hackers maybe haven’t gotten to you yet, which is good. To double check, head to the Users section on your left sidebar and click All Users. If you see any unauthorized accounts under Administrator, delete them ASAP
  • Update your WP GDPR Compliance Plugin to the latest version 
  • After that, you should be good!

What to do if you’ve been hacked because of the WP GDPR Compliance Plugin Vulnerability

If you think you have been hacked as a result of the WP GDPR Compliance Plugin vulnerability (if you can’t login to your dashboard for example), then here’s what you should do:

1. Contact your host ASAP 

Alert them to this issue. Feel free to copy/paste this spiel:

“Hi team, it appears my site has been hacked. A vulnerability in the WP GDPR Compliance Plugin has allowed some unauthorized users to make themselves Admin on my site and it appears they’ve redirected my wp-admin page to a new site. Could you help me fix this ASAP?” 

[This is the spiel I sent and it seemed like enough info to get things back on track]

2. Wait patiently for your host to resolve the issue 

The amount of time this takes will depend on your host. For me, it was all done in 20 minutes, and I’ve heard of similar fix-time for other bloggers, so don’t worry – it shouldn’t take too long!

3. After you regain access to your dashboard, update your plugin ASAP and delete any rogue users 

First, update the plugin as soon as you can and everything should be good. Then, make sure you get those hackers the heck out of your system!!! Run to the Users section on your left sidebar and click All Users. If you see any unauthorized accounts under Administrator, delete them ASAP.

4. Treat yourself to a glass of wine and practice deep breathing

It’s over… you’re fine. PHEW.

My Experience Being Hacked Because of the WP GDPR Compliance Plugin Vulnerability

Last but not least, I wanted to quickly share my hacking experience with you just in case you’re not sure if you’ve been hacked, or just want to commiserate. 

Long story short, last night I was alerted to two new WordPress user signups on my website.

I didn’t think much of it at the time, then this morning when I checked out my website, here’s what happened:

A) My front page wasn’t loading properly (it would load halfway and then look really broken)

B) When I tried to log into my admin dashboard (e.g. /wp-admin), it was redirected to a different website and presented the following error:

This meant I was completely locked out of my own dashboard and so I think you can imagine the panic that ensued. At this point, all I did was contact my hosts (BigScoots) and told them about the issue, and they fixed it in 20 minutes.

Anyways, I hope this article was helpful for you and remember slayers, STAY SAFE! Have an awesome weekend 🙂

Access our FREE Resource Library!

Subscribe below to get full access to our FREE resource library! Our library is chock full of downloadable worksheets, checklists, templates, and more for Facebook, Pinterest, Twitter, and Instagram. Did we mention it's free?!

We won't send you spam. Unsubscribe at any time. Powered by ConvertKit

Comments (4)

oh wow! thanks for the heads up. I’ve checked and I had 2 additional admins added, have deleted them, but it looks like my plugin in the latest version, thus I couldn’t update. Do you think I should do something else then that?

You should be fine if you have the latest version, but let your host know to watch out for any suspicious activity on your account! You might also want to install a security plugin or enable 2-factor authentication.

Thank you so much for this article. I was hacked 2 days ago – and the same user name was on my site too. I contacted my host company and they disabled the plugin which allowed me to get in to my site. This article helped me because I never thought about deleting any new users and who knows what might have happened if I had missed that part. Thanks again. Super helpful.

So glad we were able to help, Nicole!

Leave a comment