Hi All,
This is my first time posting in the WP subreddit, but I’ve been using WP for many years. I’ve, fortunately, had no security issues with my websites, but this morning I was made aware of an incident involving my customers.
I have a website that sells licensed products (themes, plugins, etc). One of my customers informed me that they received an odd email asking them to download an important security patch. This email came from a similar domain ([mydomain.com]) vs [mydomain.me](https://mydomain.me)). After scanning and decoding (Ioncube) the contents of the email, I discovered it was an attempt to steal the customer’s client database.
Throughout the day, I’ve had more and more of my clients email me asking about the legitimacy of this email. I’ve since sent out communication informing them not to download the malicious files, but I’m s sure a few have already done so.
I believe that my customer database (housed in Easy Digital Downloads) was compromised somehow. I’ve done some initial snooping but cannot find unauthorized access to my WP admin. I have 2FA enabled on all admin accounts and all of my plugins are up-to-date (I check my website daily and run updates when possible). It would only be possible for this type of email scam to be sent out with all of my customer’s email addresses. But if my entire database was breached, I imagined my website would be completely messed up, and it’s not.
I am currently hosted on WPEngine and utilize my Cloudflare Pro account with CF APO. I have a handful of WAF rules in place, but I don’t know what to do next. Have you all gone through similar experiences? How did you handle your data breach, and what security recommendations might you have for someone in my position?
I’m currently looking into Wordfence Care, but I don’t know if that’s worth it or helpful. I’m also considering changing the WordPress password salt so all users are forcefully logged out. I’ve asked my customers to change their passwords as there is no way to mass reset them. I don’t know my first step to harden my WP instance, as I do not know where the breach happened.
Thank you for your time!
[ad_2]