Towards the end of March, a critical vulnerability was detected in the Elementor Plugin, versions 3.6.0 through 3.6.2. The issue began when Elementor introduced new functions for plugin setup. However, it opened the door to a serious security threat.
Those who use the aforementioned versions of the Elementor plugin could inadvertently give hackers full access to their websites.
How Does the Elementor Plugin Exploit Work?
In a nutshell, Elementor’s new function allows for quick onboarding of any plugin across accounts.
Anyone who has access to the backend of WordPress can upload a fake, Elementor Pro .zip file and activate it as a plugin. This includes accounts set for any authenticated user, such as subscribers.
This can be used to then run any function within that file.
As any executable file can be run in this manner, you can see just how easy it would be for anyone to gain full access. Not to mention causing some severe damage to your files or even accessing other resources on the server.
What Have We Done to Prevent the Exploit of the Elementor Plugin?
Because of the seriousness of this threat, GreenGeeks has updated all instances of the Elementor plugin automatically. However, you should still verify that you’re running the newest version of Elementor.
If your website is at another web host, we suggest you update Elementor as soon as possible. Then, consider migrating your site to a host who has your best interest in mind.
Always Protect Your Site and Files
It’s always a good idea to keep your site and files protected from such exploits. Never underestimate the value of good security, even if your website only gets a handful of monthly users.
This is because hackers and bots are not picky about their targets.
Ways to improve the security of WordPress sites for free include:
- Installing security plugins such as Wordfence
- Using backup plugins to make recovery easier
- Make a unique database table prefix
- Always keep plugins, themes, and WordPress itself updated
It Only Takes a Moment to Lose Your Site
Website security is of utmost importance. Even if you don’t collect data from visitors, hackers can still use your site to create fake pages to steal credentials.
For instance, they could create a page nearly identical to PayPal to steal the login information of visitors directly from your domain.
Keep your thumb on the pulse of cybersecurity. Although exploits such as that from the Elementor plugin will still happen, having measures in place can greatly reduce the risks of losing your website.