This is something we have been tracking today and we currently have reports from 5 users about someone targeting MainWP users using versions of the MainWP Child Plugin older than 2.0.27.
On each site, we were able to check, an older version of the Child Plugin was being used. Using this exploit the person is able to gain full access to your Child sites.
If you updated last week to the current version you should be fine but we added a simple test and cleanup into the MainWP Dashboard so that you can test.
First Update all your Child Plugins to 2.0.28
How to test and cleanup
Now, let’s run a check to see if any new users were added that are suspect.
Search for mainwp-child-id- user
- Go to the MainWP > Users > Manage page (/wp-admin/admin.php?page=UserBulkManage)
- In the Search Users form enter “mainwp-child-id-”
- Select All Child sites
- Click the Search Users button
Now let’s look for the suspect plugin
Manage all your WordPress sites with the MainWP Dashboard
WordPress Management for Professionals
Are you ready to go Pro?
All MainWP Pro Extensions are available through one of our convenient bundled packages.
Search for WordPress admin security plugin (this plugin is not the cause just what they are using)
- Go to the MainWP > Plugins > Manage page (wp-admin/admin.php?page=PageBulkManage);
- Make sure that the Active filter is selected in the Status dropdown;
- In the Containing Keyword field, enter “Wordpress admin security”;
- Select All Child sites;
- Click the Show Plugins button
Now that your Child site is clean it’s time to change your admin passwords
Steps for Changing Admin Passwords:
- Go to the MainWP > Users > Admin Passwords page (/wp-admin/admin.php?page=UpdateAdminPasswords)
- Select All Child Sites (or go one by one to make each password different)
- Set New Password
- Click the Update Now button
Set MainWP Child as a “Trusted Plugin”
I always recommend checking your Dashboard and updating any plugins as soon as an update is needed but sometimes we are away, busy or have something else keeping us from checking our Dashboards daily.
This is especially true with open source plugins since once a security fix is released all someone needs to do is compare the two different versions of the code to see what changes have been fixed and then target older versions.
To help you in these situations MainWP includes a “Trusted Plugin” system which allows your Dashboard to update a plugin for you if you haven’t done it in 24 hours.
Please follow these steps.
First, we need to tell your Dashboard you want to auto update the Trusted Plugins:
- Go to Settings (/wp-admin/admin.php?page=Settings)
- Locate “Automatic Daily Update”
- Set that to “Install Trusted Updates”
- Press “Save Settings”
Now that your Dashboard knows to look for these updates let’s tell it that you trust the MainWP Child plugin (or any other plugin) to automatically be updated.
- Go to Plugins
- Then Auto-Updates
- Select Status “All Plugins”
- Trust Status “All Plugins”
- Containing KeyWord “MainWP” and press “Show Plugins”
- Press the Box next to MainWP to add a checkbox
- From the top left column drop-down select “Trust”
- Press “Confirm”
Your MainWP Child plugin is now trusted and will be auto-updated 24 hours after an update is released if you do not do it before that.
In the next couple of days, I’ll try to do a breakdown blog post of the issue.