A Little Problem With The WP GDPR Compliance Plugin
Yesterday I discovered that one of my blogs (not a WA blog) had been hacked.
I use a range of security plugins on my non-WA sites to beef up security. Traffic is also passed through Coudflare which provides yet another security layer.
Yet, despite all this, my blog got hacked.
Why am I posting about a non-WA blog here?
Because the hack came through a plugin many of us here are probably using on our WA blogs - the WP GDPR Compliance plugin.
As you probably know, certain privacy and data protection regulations were enacted by the EU back in May. This means that any website, no matter where in the world it is, has to protect the data of EU citizens.
Some sites, notably in the USA, blocked access to EU residents while they figured out what to do. This is against the ethos of everything being freely available on the internet (unless you have to pay for it, but that's a choice you make, not one that's foisted upon you).
So to comply with these EU regulations, several GDPR (General Data Protection Regulations) plugins were created for WordPress. They could just be added to a site and some EU compliant text and checkboxes would appear on your blog.
One of the most popular is the WP GDPR Compliance plugin. It's installed on over 100,000 blogs.
I don't have an insight into the security measures implemented by WA for its blogs. The current hack allows an attacker to escalate their privelages on a blog. Essentially they can make themselves an admin and then do whatever they want.
So I think the best thing we all can do is immediately check our blogs to make sure they haven't been hacked and to update the WP GDPR Compliance plugin to version 1.4.3 right now.
UPDATE 1: I got a notification today that a new user had been added to my WA blog (which also uses the WP GDPR Compliance plugin). The email address had a .ru (Russia) extenison. I don't allow users to register on my blog, but this user was listed as an Administrator! I missed updating the WP GDPR Compliance plugin on this site.
So this confirms that WA sites using the WP GDPR Compliance plugin are in danger of being hacked, regardless of the security measure implemented on WA web servers.
I'd recommend that you change your login password for your blog if you use/used the WP GDPR Compliance plugin. A hacker could have gained access to your site, created an admin level user, used it to get your admin password and then deleted the admin account they created. If they have your username and password, they have access to your blog!