Add a Scam Report

Preview:

F
Verified to be a scam. Users have submitted evidence that proves this is definitely a scam. Avoid at all costs
Rate!

getmyfreetraffic.com

Type: Website Or Domain
Source: Other online reports
Verified
You need to to view this page

I have just finished fixing a site affected by this hack. It is a site running woo-commerce, but fortunately no customer data was affected.

The first alert to the hack was that the site was redirecting to a spammer’s site called getmyfreetraffic(dot)com.

I have a few tips to add because, even though the version, theme and all plugins were up to date and the site is running Sucuri Security, it still got hacked.

This article explains the vulnerability: https://blog.sucuri.net/2019/03/0day-vulnerability-in-easy-wp-smtp-affects-thousands-of-sites.html

When I initially checked the site the latest version of the Easy WP SMTP was showing BUT the vulnerability was already set, so I removed the plugin then reloaded it, that did not fix it.

Checking the database I found malicious links in the _options table and deleted those.

In the admin dashboard under users there were 2 new users with admin privileges. After checking them out and saving copies of their IPs, usernames and passwords, I deleted them.
The main culprit, and one you can find a lot of info about by googling is
Username: devidpentesting99
Email: devidpentesting@yandex.ru

IMPORTANT STEP THAT I INITIALLY MISSED – In the settings > general section “new default role” had been changed to “administrator” and there was a tick in the “anyone can register” box. I changed default role to “customer” (but yours might be “subscriber” depending on what you use your site for) and unticked “anyone can register”.

I decided I could live without the plugin Easy WP SMTP as the site function fine without it, so I deleted it.

At the same time I deleted several other old plugins that were no longer needed.

I installed WP Htaccess Editor plugin and added the following the end after # END WordPress:

# Disable directory browsing
Options All -Indexes
# Block wp-includes folder and files

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That stops anyone being able to browse the directories of wp-admin and wp-includes and also forces all pages to go to the SSL version (some were not).

Once I was sure everything was updated I used cpanel filemanager to change the permissions on index.php, wp-cofig.php and wp-cron.php to 4 4 4 so they were not writable.

I added the plugin Disable XML-RPC to disable the XML-RPC API .

Adding all this here because it may help someone else who has had their wordpress site hacked by the Easy WP SMPT vulnerability and although it looks like a simple list of actions, it took me 3 days to work all this out and fix it!

Best of luck to anyone else dealing with this hack.

    GET NOTIFIED OF NEW SCAMS

    goodbrains
    We will be happy to hear your thoughts

    Leave a reply

    ScamGrade
    Logo
    Register New Account
    Compare items
    • Total (0)
    Compare
    0