Hey guys, I’ve confirmed 3 hacks in the last 24 hours on my clients’ WP sites.
So far, all 3 sites use a combination of OptimizePress and Digital Access Pass (DAP).
The vulnerability seems to be from an outdated version of OptimizePress which allows the hacker to gain admin access to WordPress.
He then changes the Paypal receiver email in DAP so that sales are diverted into his account.
It seems that the hacker is injecting PHP script on the server level because I’ve found several malicious PHP files in the /dap/ directory.
#####
Here’s what you should do right now:
1. Go into your WordPress site and update ALL of your plugins, themes, and your WordPress version.
Don’t forget to update any apps that aren’t native to WordPress but interface with WordPress (e.g. DAP).
2. If you’re using DAP, go to DAP => Setup => Config => Paypal.
If you don’t recognize the email address in this field then you’ve definitely been hacked.
Please note that if the email in the Paypal email field is yours, it does NOT mean you haven’t been hacked.
#####
If you are positive you’ve been hacked, here’s what you should do right now:
1. Get in touch with your hosting company immediately and share this memo with them (additional technical notes on the bottom.)
Ask them to run a malware scan and help you identify/clean up the intrusion.
2. If they try to charge you to diagnose/fix the problem, and if the price is reasonable considering the sales you’re currently losing, then pay it and enlist their help.
If it’s unreasonable you can go to Upwork, post a job for malware removal and get a contractor’s help.
3. If you’d like my personal help with this situation, I’m working with a contractor to remediate hacked websites now.
Please get in touch at victor.dorfman(at)gmail.com
#####
If you’re not sure whether or not your site’s been hacked:
1. If your site is making any kind of income, I recommend doing the steps above just to be safe.
2. Install the WordFence WordPress plugin and monitor current activity to see if any funky IP addresses are trying to access any strange looking URLs on your domain.
#####
Please share this message in the relevant membership groups/social media.
Vic
