How did i fix my WordPress website after being hacked?

On the 29.06.2023, my website osintafrica – intelligency blog was hacked.

The threat actor created two accounts with the Author privilege and posted two posts on the website.

In the next lines, i will describe how I managed and fixed the issue.

When i connected to my website, i found a strange post. It was very surprising for me, because  i was not the author of the posts, so i decided to analysis the issue.

                                          Figure 1 Post published by the threat actor

As you see on the image above the user “miqzmcif” was the Author of the post.

I connected to my WordPress backend, i checked the user menu to find all the users account created on the website, i found out two new users accounts created (miqzmcif@ds.sdf and 0erwybgp2j9n9btwm8foxn@gmail.com)  following with my user admin .

Figure 2 Two new users created by the threat actor

With the email addresses of the two users created, i checked the name and email addresses created  via Google search, unfortunately no information was found.

Next steps, i did, was to verify if there is any plugin with a vulnerability that can be exploited  to get the access to my website and create a user account or publish a post. I checked all the plugins one by one via Google search to find any issue related to them, while checking the plugins, I found the only plugin with a vulnerability among all the plugins (WP Post Author version 3.2.3) that has a critical vulnerability discovered a few days ago WP Post Author <= 3.2.3 – Privilege Escalation (wordfence.com)

The WP Post Author plugin is used to create and edit the author on WordPress website, at this point, it was quite obvious for me that the plugin was the issue.

Before I deactivated and removed the plugin with the two users created, a WPScan was run on the website to check if there is any vulnerability. At the time it was the scan was run, no issue was detected that could be used by a threat actor to perpetrate the attack.

After that, i decided to harden my website, I enable the auto update option on all the plugins, installed a web access Firewall and IDS to protect the website.

NB: It worth mentioning that, before I was hacked, I would not imagine that my blog could be hacked.

So as a great example, i encourage all of you to follow the best practice like we described in our situation to protect you WordPress website or any others website.