Elementor takes its responsibility to create secure plugins seriously. Our developers are highly trained to write safe, secure code, and we monitor for vulnerabilities. However, as with all software, even with the level of expertise and scrutiny that we employ, vulnerabilities can sometimes occur. As such, there are things that every web creator should know and do to keep their websites as secure as possible.
Q: How does Elementor prevent security issues from happening?
A: We have specialized professionals who continuously monitor for potential issues. In addition, we may be notified by people in our community channels, findings from security software makers, and of course our own testing procedures.
Q: Do security issues happen often?
A: Fortifying security is a continuous process, not just a single effort. Whenever we identify a threat, we always remain vigilant and release a fix as soon as possible.
When we first discover a security vulnerability, we start by examining it and understanding it from each angle. In order not to jeopardize our users before issuing the fix, we keep the reported issue discrete. Once we issue the fix, we can go on to inform users about the vulnerability and its resolution.
Q: What can I do, in general, on my end to prevent security issues from happening?
A: One of the most important steps you can take is to keep WordPress and your plugins up to date, as this will help ensure that any security patches are applied. Other steps include changing your password from time to time, considering the use of security plugins, and being mindful that you only use plugins and themes from known sources such as the WordPress.org repository and established companies that have a strong history of providing quality products. Avoid installing "nulled" plugins and themes as these often contain malicious code, and only keep plugins and themes on your site that you are actively using.
Q: How do I know if and when the security issue has been contained or fixed? Where do I go for the latest updates about security issues?
A: Follow our social media channels and especially our communities. It will be mentioned there, in our changelog, and when relevant, in a separate email. Please make sure to create an account to receive important updates like these.
Q: Why doesn't Elementor send me a message the moment a vulnerability happens?
A: We do not want to alert abusers to a problem which could cause them to take advantage of the issue. We focus our efforts on getting a fix out there as soon as possible. When the issue is contained, we quickly inform our users via several channels, including email.
Q: I have an old version of Elementor Pro which was not renewed. Am I still safe?
A: Always upgrade to the latest version of Elementor. This may be applied to practically all software. New versions contain security updates, bug fixes, and offer amazing new features. If you want to test a new version before updating your live site(s), we recommend creating a staging area.
For information on specific security fixes, see below.
Security vulnerability solved on version 2.9.4
Q: What steps should I immediately take?
A: Update your Elementor Pro version to the latest one, 2.9.4. Also, head over to Settings » General page in your WordPress admin area. Scroll down to the ‘Membership’ section and uncheck the box next to the ‘Anyone can register’ option unless you activated it intentionally and need it for your website.
The vulnerability allows malicious files to be uploaded to the site via the Icon Sets Zip file uploading system. We want to emphasize that this loophole only affects Elementor Pro sites with a specific WordPress option active, namely the ‘Anyone can register’ option. We have already released a new version of Elementor Pro which resolves this vulnerability with two main fixes:
- Only Administrator role users can upload Icon Sets.
- Only authorized files can be processed via a ZIP file.
Q: Who is exposed to this vulnerability and to which version of Elementor does this apply?
A: The exploit uses the Custom Icons zip files upload mechanism to inject malicious files. The Custom Icons feature was introduced in Elementor Pro 2.6. Users with this and later versions (except 2.9.4) might be exposed and should take action to ensure their site safety. Users that have their site hosted on a server that restricts .php files execution in uploads folder are unlikely to be exposed to this vulnerability.
Q: How do I know if my site was affected?
A: Check your WordPress users list to see if any new unknown user has registered, especially if you control who registers to your site. If so, it still doesn’t mean that your site is affected: check your Custom icons folder in uploads directory: /wp-content/uploads/elementor/custom-icons/ and check in the inner Custom Icons folders for any unknown .php files. “index.php” is part of the original files. If you find any trace of the mentioned above items, it is likely that your site has been compromised.
Q: What should I do in case my site was affected?
A: If you think your site was compromised, delete any unknown users, change passwords to your registered users, and contact your hosting provider to let them know about the issue for further assistance. Restoring from a backup prior to the infected custom icons library creation date might be a viable solution for you.