Duplicator is a popular backup plugin (over 1 million downloads), site cloning or migration. Unfortunately, vulnerability has recently been detected that allows remote code execution. What can such an attack manifest itself?
If strange content appears on your site that is based on WordPress, links or disappearance of your files may have fallen victim to an attack. Other symptoms may be an empty .htaccess file and changes to the wp-config.php file in particular, unknown entries may appear in the fields responsible for configuring the database. The attack is not complicated and has been described in detail here:https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf
The important information is that the attack occurred through backup files (in backup) or files related to migration.
How to protect yourself against attacks?
First of all, if you do not have an updated plugin, be sure to do it. Then remember to delete the plugin files after using it - in the end, the plug is just for single use. This is a solution that should protect you. In addition, an anti-compromise system operates on our servers, which also protects you against attacks. If you suspect that your site has been infected, be sure to restore the last working backup and then update all add-ons (and remove the unused Duplicator plugin). Restoring a backup can be done using the tool that we provide in cPanel. The next step you should perform is changing passwords and securing future archives with a password.
Latest posts by Aleksandra (see all)