Recently, we have been receiving inquiries from clients who have received warnings from their hosting providers about a critical vulnerability detected in the popular Duplicator plugin. This flaw allows attackers to compromise websites. The issue affects both the free version of the plugin and the PRO version. To all concerned users, we want to reassure you: WP Care is closely monitoring the situation. We are doing everything possible to ensure the continuous operation and security of your websites.
Duplicator – WordPress migration plugin. What’s the issue?
Duplicator is a very popular plugin among users for creating website backups, migrating WordPress to another server, or duplicating an environment for testing purposes. The creators of the plugin – Snap Creek – boast over fifteen million downloads, more than a million active users, and excellent recommendations. However, as we know, the popularity of open-source software comes with a price. The larger the user base, the greater the risk of malware attacks.
This isn’t the first time malware has infiltrated WP-based sites through Duplicator. The last issue occurred in mid-2018, and it didn’t directly concern the plugin itself but rather the files it automatically generated after transferring a site to another server.
This time, by exploiting the vulnerability, an attacker can access critical files containing, for example, database credentials for MySQL. According to a report from Wordfence security specialists, over 60,000 attempts were blocked to download the wp-config.php file. Nearly all attacks originated from a single IP address: 77.71.115.52. This IP address belongs to a server hosted by Varna Data Center EOOD and is located in Bulgaria.
The issue is still under investigation, but we can determine if our site has been affected by malware. Simply search your server logs to check if traffic from this IP address has been recorded. We also know that the attacks were executed using GET requests with the following query strings:
Hosting providers have been sending alerts recommending an urgent update of the free Duplicator plugin to version 1.3.28 or 3.8.7.1 for Duplicator Pro, as the latest versions have patched this critical vulnerability.
How to protect yourself from malware attacks?
One of the most crucial aspects of security is updates, and this situation is yet another example of what we have always emphasized to our clients. We covered this extensively in another article. Updates are absolutely essential, and neglecting them opens the door to malicious software in your WordPress site.
If you are one of our clients, you can rest easy – we perform all updates on an ongoing basis. However, if you are not yet working with us and have fallen victim to an attack – contact us, and we will surely find a way to help you.
