“Erealitatea[dot]net” and “t2trollherten” Hack: How to fix the WP GDPR Compliance Plugin mess if you’re not good with WordPress

Do you also have a WordPress blog or website that has not been loading these past couple of days? Did you notice new users in your backend or did your page get redirected to some weird URL?
I got you, here’s how to fix the whole damn mess yourself – even if you (like me) are not a web developer geek.

For me, the whole thing started some time during my lunch break at the office yesterday. I wanted to show someone my blog and sent them a link. “Ummm, it doesn’t seem to load”, was the answer, along with a screenshot of a blank page. Great. Not only am I drowning in work for university (literally sitting in the library while I type this), I am also super stressed out (plus my tights just ripped, freaking splintery library chairs!), and now this!

Didn’t think too much of it, though, and I was planning to take care of whatever the problem was when I had a quiet moment sometime next week. Until I tried (just for fun) to get into the backend of my blog this morning – which was not possible. Aaaaaah.

URL change to erealitatea[dot]net

First of all, a diagnosis. Or the symptoms. (I’m not a doctor either.)
For me, as I already mentioned, it was not possible to access the website. Diyrona.com was not loading, and after a while, you could see that the URL was redirected to erealitatea[dot]net. (Don’t go to that page, obviously.)
I was also not able to reach the backend or log in, because that was also redirected.

New users t2trollherten or t3trollherten

Through a little research, I found that a lot of people also have the issue of new users being created in the backend of their sites, having administrator status and all.
Thankfully, this did not happen to me, but make sure to check your users and your root file for any malware and remove it.

WP GDPR Compliance Plugin is to blame

Furthermore, it has now become clear that the problem is due to a vulnerability connected to a very popular WordPress plugin: WP GDPR Compliance. A new version of this plugin has been released on November 7, and hackers basically started to attack older versions right away. So it is absolutely necessary to immediately update this plugin!

In order to do that, we should be able to access our backend though, right?

How to fix the URL change

Thankfully, the solution to the whole URL problem is quite simple.
Dig deep into your site’s database until you find “xx_options” (“xx” being whatever prefix you have in your database). You will find the intruder in the “option_value” field for “option_name”. Simply change the freaking hacker url to your own and you will be able to access your site – and the backend! – again.

Make sure to clean up the whole mess

Now, as soon as you can access your site again, make sure to immediately update the troublemaker aka WP GDPR Compliance Plugin.
Be sure to also check the users, as I mentioned before.
Go back to your database as well, and try to find any malicious .php files. I found this article pretty helpful.

What I learned from this incident

I personally never thought that anyone would hack my teeny, tiny blog. And I never thought that WordPress plugins that popular and big could have such extreme security issues. Well. I am a naive little girl. Make sure to keep your plugins up to date and get at least a little familiar with your database.

Now the day is almost half over, I have not finished anything for university, the library closes in under an hour, and I seriously need to go home and put on a pair of intact tights. In other words: I’m off continuing the usual hassle and I hope everyone is having a great (and hacker-free) weekend!


Leave a Reply

Your email address will not be published. Required fields are marked *