On Friday my inbox was pinging with notifications about the WP GDPR Compliance Plugin vulnerability. One of the first was from Kim Bradford from Sphere Data Protection so we’ve written this article together to help you understand the problem and what you can do about it going forward.
The WP GDPR Compliance Plugin
With over 100,000 active users last week, the WP GDPR Compliance Plugin was presented to us earlier this year as a way to make your WordPress site GDPR compliant – for free. Offering compatibility with other plugins that are frequently used it looked great – and as in so many cases, users just downloaded and activated the plugin without reading this first:
ACTIVATING THIS PLUGIN DOES NOT GUARANTEE YOU FULLY COMPLY WITH GDPR. PLEASE CONTACT A GDPR CONSULTANT OR LAW FIRM TO ASSESS NECESSARY MEASURES.
https://wordpress.org/plugins/wp-gdpr-compliance/
This plugin assists website and webshop owners to comply with European privacy regulations known as GDPR. By May 24th, 2018 your site or shop has to comply to avoid large fines.
Tip 1
Research your plugins before you install them. Look at how many people have downloaded them, whether they’re compatible with the latest version of WordPress, when they were last updated and the reviews. There is a plugin for pretty much everything but whether it’s secure, up to date and up to the job is a different matter
Tip 2
There is no such thing as a free lunch. In this case, it’s more along the lines of “there’s no such thing as free GDPR compliance”. Compliance requires effort and investment for everyone who is subject to those requirements.. The irony that a GDPR plugin was the one that was targeted has not been missed. If you have been affected by this vulnerability, you potentially have a data breach on your hands. Now is the time to take some professional advice.
What happened with the GDPR Compliance Plugin?
Hackers discovered a vulnerability in the code of the the plugin and used it to create admin users for WordPress sites. Administrator users have full access rights and therefore the hackers could inject the sites with code that made the site do what they wanted it to do. If you’re interested in the technical side you can read the article here
When the vulnerability was discovered, WordPress removed the plugin from the repository temporarily. The developers created a ‘patch’ (fix, new version – call it what you will) which was then released. Until then, the hackers attacked the main WordPress code and WooCommerce code if it was installed. The patch can now be downloaded and will resolve the problem – do this asap if you use this plugin.
Tip 3
Hackers aren’t picky about who they attack. So many people say to us “oh it wouldn’t happen to me, I’m not worth the effort”. Hackers do not care whether your site is about unicorns or uniforms, cake or cars, wellbeing or weekends away. (or anything else for that matter)
Make sure your plugins are always up to date (although in the this case that wouldn’t have helped), that you don’t make it easy for them to get access to the site, you have additional security like Wordfence and/or Sucuri installed (we use both here at DigitalJen) and your site is backed up. Every day.
What is this hack going to do?
It hasn’t been established yet what the hackers want to do with the data that they’ve accessed from the WP GDPR Compliance plugin. It’s possible they’ll be selling on the list of sites and the data to someone else – who it can be fairly safely assumed, doesn’t want them for good purposes.
There are two ways that this hack has been carried out – whether the data will be used for two purposes isn’t known yet. Suffice to say, most hackers are looking to spread malware, viruses and ransomware which might include links or redirects to other sites, damaging code and other nasties.
Tip 4
Don’t make it easy for hackers to get into your site. Don’t use “admin” as your user name. (If you don’t know how to change this, get in touch, we’ll help). Make your password as hard to guess as possible – and the hackers all know that we use @ for ‘a’ now and 3 for an ‘e’ etc. Three random words with a mix of CAPITALS, numbers and special characters is a good start. Or use something like LastPass to generate and save the passwords for you.
Now what? Do I tell my clients? Do I need to make technical changes?
If you’ve been affected by this hack you need to get your site cleaned up and secured. If you’ve been affected on the WooCommerce side of things, you need to tell your clients that you have suffered an attack with a potential breach of data. Advise everyone to change their passwords and that you’re taking action to make sure it doesn’t happen again. If you’re not sure what you need to be doing, have a chat with either of us and we’ll be happy to help.
Tip 5
Invest in some help. If you’re a blogger needing some help to get your blog compliant, it’s probably best to talk to Jen. If you’re a business, talk to Kim. (details below). We both talk about how important it is that our clients know, like and trust what we do. GDPR compliance and keeping personal data safe is very much a key element of the trust part. Even if you’ve got a great product that everyone knows about, if they can’t trust you to keep their data secure, you’re not going to succeed.
More information & help
You can contact Kim and the team at Sphere at
info@spheredataprotection.com
You can contact Jen at the team at DigitalJen at hello@digitaljen.co.uk