A vulnerability with Simple Social Buttons has been discovered this week, which can leave your website (and about 40,000 other websites with this plug-in) prone to hacks! If you have this plug-in, update it immediately and check your website for any unknown users/changes in the past week. I include a security checklist.
The report published yesterday by Luka Šikić, a security researcher, enables non-admins to modify installation options, including the admin email associated with your website as well as escalate themselves to admin.
If you have Simple Social Buttons, you need to urgently check if you have Simple Social Buttons versions 2.04 until 2.0.22. In version 2.0.22, the patch was added. (I have this plug-in for one of my websites.)
If you found this plug-in, I recommend updating it immediately prior to doing a security check on your website.
- Update the plug-in immediately
- Check Users for any unknown users/emails and remove them
- Check that the admin email is your email.
- Run your website through Sucuri to check for malware.
- Move your WordPress log-in page using WPS Hide Login. This enables you to move your WordPress log-in page to make it harder for hackers to test out passwords.
- Install Wordfence (free) to block out bad bots scanning for vulnerabilities. Do a scan if Sucuri comes back clean.
- Contact your host and consider investing in Sucuri if you are hacked. This is the premium WordPress security software and they can help you deal with hacks. They might be able to roll back your website to the previous version.
- If your website is clean, take a deep breath and back-up your website. I use Updraft Plus, which is free to use with your Google Drive. In case your server is wiped out, it’s good to have a copy of your website!
- Consider adding two-level authentification for logging into the admin panel of WordPress. Click for instructions on how to set up two-level authentification.
The issue was found on February 7th and immediately reported to the company. It was patched the next day (February 8th). If you haven’t updated your Simple Social Buttons yet, you need to do this ASAP as your website is vulnerable. You can watch the video below showing how easy it is to get hacked!
I hope that this short blog post helped protect your website. 🙂