mzzz

Please make sure to update the WP GDPR Compliance plugin immediately after the backup was restored! Otherwise you will likely get hacked again within minutes. I’m observing my Web server logs and see constant attacks coming in – all now bouncing back with an error 401 due to the lockdown of /wp-admin.

In order to prevent this from happening in future, I recommend just securing wp-admin and wp-login.php to certain IP addresses only and, additionally, activate basic authentication for both. There are plenty of blog articles in the Web that explain how basic authentication can be activated (e.g. for Apache and Nginx users). Some Web hosters also provide a web interface through which basic auth can be activated for certain directories.

If the entire wp-admin directory is additionally protected, the hacker would have been unable to access admin-ajax.php and take advantage of the vulnerability.

Are you using a GDPR plugin on all of the 15 websites?

Thank you! I have deactivated the GDPR plugin and will not use it again.

The same just happened to me a few hours ago: https://www.ads-software.com/support/topic/security-beeing-hacked-by-trollhertenmail-com/#post-10860659

Looking at the log files of my server I believe there is a vulnerability in admin-ajax.php (all my plugins and WordPress installation are up to date). In other words, “there is no way to register a new user without having the administrator password if the option is turned off, correct” – this may not be correct if there is a security vulnerability.

Same happened to me! I think there must be an unknown vulnerability as I’m also running the latest WordPress version. My server log files suggest that the hackers got in through admin-ajax.php. I removed both users and secured wp-login.php and /wp-admin with basic authentication. Additionally I blocked access to both to all IP addresses but my own. Hopefully this will prevent it from happening again.