Join leading brands and agencies for WP Engine's digital breakthrough conference. See you virtually on June 24.

Attend Summit 2021
Menu

How to address the Plus Addons for Elementor vulnerability – March 2021

On March 8, 2021, Wordfence published a report indicating WordPress sites utilizing the The Plus Addons for Elementor version 4.1.6 and earlier were impacted by a security vulnerability. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.

Here at Flywheel, we care about your site’s security, so we have provided steps to follow if you suspect your site has been impacted.


How can I tell if my site is compromised?

  • Check for recently created user accounts where the username is the same as the registered email address
  • Check for plugins you didn’t install, namely “Secure SEO for Stats”, which may appear in SFTP as wpstaff.zip or wpstaff.php in the wp-content/plugins directory

Steps to resolve

1. Update to version 4.1.7 as soon as possible
As of the 9th of March the plugin authors have released a fixed version of the plugin and you should update immediately to keep your sites secure.

2. Delete unknown admin users and update all admin passwords
Navigate to the Users area of your site’s WordPress admin and delete any unknown admin accounts.

Next, have all site admins update their passwords.


Restoring your site from backup

In some cases, it may be possible to restore your site to a backup prior to March 8, 2021 to undo any changes made while your site was compromised.

If you choose to pursue this option, make sure to remove or update the plugin once your site is restored.

As always, let us know if we can assist.


Still need help?

If you have any questions along the way, just reach out to our support team, we’d love to help!

Was this article helpful?

Getting Started

New to Flywheel? Start here, we've got all the information you'll need to get started and launch your first site!

View all

Account Management

Learn all about managing your Flywheel user account, Teams and integrations.

View all

Billing

Everything about billing, invoices and payments can be found here.

View all

Features

Flywheel hosting plans include a ton of great features. Learn about how to get a free SSL certificate, set up a staging site, and more!

View all

Platform Info

All the server and setting info you'll need to help you get the most out of your Flywheel hosting plan!

View all

Site Management

Tips and tricks for managing your sites on Flywheel, including going live, troubleshooting issues and migrating or cloning sites.

View all

 

Flywheel help

Help is just a click away! Log into the Flywheel dashboard to instantly chat with an expert, open a ticket, or follow along with in-depth documentation. We happily offer support 24 hours a day, 7 days a week, 365 days a year!

Log in

Try Flywheel today

Launch your next WordPress site in minutes.

 Free migrations  24/7/365 support  14‑day demo sites