Information about the hack

Our WordPress SEO plugin in version 2.1.6 was hacked on Monday, 23rd of September 2019. The security gap was an old WordPress setting to which we referred a function in the metadata module. Please update our SEO plugin directly in WordPress or via FTP at least to version 2.1.9.

Manual Update

Although we released a bugfix on the same day, WordPress has not released it yet, as the mills unfortunately grind very slowly (a pity, with such critical stuff). That’s why a manual update of our SEO plugin is necessary so far. We have provided the latest version with the security update under the following link:

  1. Please download and relax the ZIP file.
  2. Then please via FTP into the directory /wp-content/plugins/ copy and overwrite the old files.
  3. Then log in to WordPress * and vist SEO > Free. Click on Save in the top right corner. Then, if necessary, reactivate the metadata module and then save again.
  4. Finally, please empty the website cache (if a cache plugin is installed) and test the website again.

* If you are redirected to a foreign website when logging in to WordPress administration mode or under SEO > Free, please go back to your page in the browser (if possible) and then click Save.

Extended Cleanup

If the measures described under Update are not sufficient, we strongly recommend that you check your mySQL database. To do this, you log in (usually via phpMyAdmin) into your database – if necessary, you can find the access data via FTP program in the WordPress root directory in the wp-config.php file – and search for the table ending in _options.

Screenshot from phpMyAdmin

If in the fields siteurl and home your domain is not in the usual spelling (so with the http (s) – and www-form, under which your page is indexed in Google – if necessary just googling for your page name), then please click to the left of the fields on “Edit” and correct the information.

If you are using a cache plugin, please go to the wp-content / plugins / directory via FTP and change its name with a DIST. This turns “wp-rocket” into “_DIST_wp-rocket”. This will turn off the cache. Then empty your browser cache and log in to WordPress again.

Then please go through the steps described in Update. Afterwards, you can change the name of your cacheing plugin back to its original form to reactivate it and empty its cache again. Finished.


If you need help with the update, please send us a support request with WordPress and FTP login. We may also ask you for a webhosting or MySQL access so we can clean up your database.