Our partner security agency, Sucuri, recently shared of a new type of hack which has greatly affected many websites who use the WordPress plugin ‘Ultimate Member’ and who use a tagDiv theme (Newspaper and Newsmag). This hack causes websites to redirect to URLs such as utroro[.]com, murieh[.]space, and unverf[.]com. This hack can also display fake CAPTCHA images which ask you to click “Allow” in your browser’s notification area.
If your website is currently redirecting to an unknown URL, you could be a victim of this hack. If you suspect that you may indeed be a victim of this hack, make sure you don’t click “Allow” in your browser’s notification area, and follow the instructions below.
At the time of writing this article, there are around 2,670 estimated infected websites with one of the scripts, and another 2,294 with another of these scripts, totaling around 5,505 total websites. These scripts, cdn.eeduelements[.]com and cdn.allyouwant[.]online, inject further redirect code to the <head> of many PHP, JavaScript, and those containing jQuery files.
You may ask, shouldn’t my web hosting provider protect me from this hack? This type of hack is due to a vulnerability with the Ultimate Member plugin as well as tagDiv themes (Newspaper and Newsmag), so unfortunately, it’s beyond your website hosting provider’s control, as this plugin and themes are directly installed in your hosting.
How to Prevent It<
The first step to protect your website is to take a full backup of your hosting account and store it on a local computer or hard drive. This is your first best safeguard, as you can quickly restore your website if anything were to happen.
The second step is to run all your website updates. This includes running and installing all the updates for your themes and plugins. If your website uses the Ultimate Member or any of the tagDiv themes, this is even more important. The development teams of both software has released patches to help prevent the hacks from happening, so installing this update is critical to both preventing this hack from occurring, as well as removing the hack if you are affected.
The final step is to consider setting up a firewall to protect yourself from an attack on your website. Our partner security company, Sucuri provides an excellent firewall which can block these attacks. Learn more about Sucuri’s firewall.
My Website Is Redirecting, What Should I Do?
If your website is redirecting to an unknown page, it could very well be that your website has become infected.
If you’re using a tagDiv theme, security professionals at Sucuri advise that you can possibly remove the malware. They advise that “the malware can be found and removed in the theme’s admin interface via. Theme panel > ADS > YOUR HEADER AD, or in the “Custom HTML” widget.” If for some reason you’re having troubles with removing the malware that way, they advise that you can clean the serialized code via your WordPress database. Before you attempt at doing this, we recommend that you read more information regarding this on Sucuri’s website.
If you use the Ultimate Member plugin, “delete all PHP files in subdirectories under wp-content/uploads/ultimatemember/temp/ (for bonus points, disable execution of PHP files in this folder).”
As Sucuri states, “If a [hacker] bad actor sees that a security issue has been fixed, they will try to create exploits for older versions to target vulnerable sites who haven’t yet patched to the latest available version.”
For more greater detail regarding this hack, please read the linked article and consult Sucuri before removing or deleting website files.