A plugin for the Elementor sitebuilder has a major vulnerability that allow remote attackers to create administrative accounts without any need for authentication. The admin users can then do anything a WordPress user can do which is add or remove content, create or delete users, modify the site’s configuration, make persistent database changes, among others without any authentication. This vulnerability is under active use and there is not a patch at this time. ETC Maryland Fully Managed Hosting clients were automatically protected against this vulnerability. If you are not a fully managed hosting client your mitigation is to delete the Plus Addon for Elementor to block this attack until a patch is released by The Plus authors. Other ETC Maryland clients who are not on the Fully Managed Hosting plan will get the updated security rules on April 7th. This was first discovered on March 8th and Fully Managed hosting clients got the updated security rules within 24 hours.
ETC Maryland specializes in WordPress hosting and security. If your host did not have the ability to protect you from this active attack, check your site to eliminate the vulnerable plugin until Elementor issues a patch. You can contact me to evaluate your hosting and compare your host against ETC Maryland’s hosting offerings. You can also learn more about how our hosting stacks up to others by listening here.