This came out of nowhere! I enter my url into a browser to find that I’ve won some prizes! Totally unexpected….
Usually, when crap like this happens, it’s Cloud at Cost trashing my VM, but this was different.
Turns out an exploit in WordPress’ Duplicator plugin (which I use for backups) allowed hackers to upload and modify PHP scripts to the HTML root and so they inserted some code to redirect a user to the site of their choice.
All I have to do now is to collect my prize….
Seriously though… the joke’s on them. I usually make a backup after each modification so I just simply restored it, disabled some plugins, and we were back in business. I may have lost some minor updates in the process, but nothing serious.
Based on what I saw though, the hacker also installed a backdoor and made a ton of changes to the WordPress core scripts. It would have been a drag cleaning this up without a full restore.