WordPress GDPR Plugin Exploit – All You Need To Know
As of November 9, 2018, the WP GDPR Compliance plugin has been exploited by hackers. This plugin aids e-commerce site owners in compliance with European privacy standards. Since the very nature of GDPR is to protect the personal data and privacy of EU citizens, it should be tended to as soon as possible to avoid a costly cleanup. WP GDPR Compliance is also known for working in conjunction with many forms including Contact Form 7, Gravity Forms, and WordPress Comments.
The main characteristic of this hack is the addition of new users, users with admin privileges. These administrative users have full access to your WordPress site. With Admin users a hacker can alter your site without your knowledge, including making rouge pages or selling your visitor’s information.
This article shows WP GDPR users how to:
Identify If You Use WP GDPR
If you are familiar with how to log in to your WordPress backend you can easily see if you are using this plugin.
Step 1: Enter the WordPress backend by going to yourdomain.com/wp-login.php in your browser.
Step 2: Login with your WordPress username and password and navigate to Plugins and click on Installed Plugins on the left-hand side of your screen.
Step 3: Scroll down through any installed plugins to see if WP GDPR Compliance is within your list. On this screen, you’ll be able to see the version of the plugin to the right of the plugin name. Any version less than 1.4.3 is vulnerable and should be updated.
Upgrade WP GDPR
Although this is a severe exploit, it is easy to patch and protect yourself by performing a simple update.
Step 1: Follow the steps above in the section “How to Identify if you use the WP GDPR plugin” to login and locate your Plugins menu.
Step 2: Afterwards, find WP GDPR Compliance, if you are running an outdated version you’ll see a message letting you know you can update. Selecting the “update now” link will automatically upgrade to the newest version.
Have You Been Hacked?
There is a couple of routes for identifying this hack, listed below, but you can also use the Wordfence Security Scanner.
Indicators of Compromise include the following characteristics:
- Creation of new users with Admin privileges
- A database user in the wp-users table named t2trollherten and t3trollherten
- URL’s inserted into the code have seen as pornmam.com
- Installation of the 2MB Autocode plugin, executed by WP-Cron via WooCommerce’s woocommerce_plugin_background_installer
- The wp_options table within your database has an entry starting with 2mb_autocode or default_role is set to anything other than “subscriber”
- Recent edits to the wp-super-cache/wp-cache.php file
- Creation of a backdoor file, /wp-content/uploads/…/wp-upd.php
- Incoming IPs from:
- 109.234.39.250
- 109.234.37.214
- 195.123.213.91
- 46.39.65.176
What to Do If Compromised
If you deduced your site is compromised from previously mentioned characteristics, then you’ll want to remedy it immediately since other sites on the same server can be affected.
- Liquid Web customer can purchase a Malware Clean Up package
- Manually remove the code from the infected files
- Restore from a backup dated before November 8, 2018 (keep in mind this will still have the old version, and your site will still be in danger)
Related Articles:

About the Author: Echo Diaz
Throughout Echo's four year stint as a technical support specialist, her passion for breaking down complex concepts had to lead to a career in professional writing. As a former top tier support specialist, she added a distinctive element to her written work that spoke to customer feedback and concerns. Echo occasionally pops her head out from behind her computer to watch her dog energetically run around the yard and unabashedly shovels money into buying tickets to see her favorite musical artists.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.
Latest Articles
What Is WebP and What Makes it Different from Other Image Formats?
Read ArticleTop 10 Password Security Standards
Read ArticleTop 10 Password Security Standards
Read ArticleHow to Install MongoDB on AlmaLinux
Read ArticleHow to Use the WP Toolkit to Secure and Update WordPress
Read Article