An Elementor Pro security vulnerability was recently discovered. On May 7, 2020 the makers of Elementor released version 2.9.4 to address the security issue.
If you are using Elementor Pro page builder for WordPress, its highly recommended that you review your site to see if it’s possibly effected.
What websites are at risk?
This vulnerability only effects websites that allow new users to register independently. If you do not have users registering to use functionality within your site, you still should review your WordPress settings to confirm the ability is not there.
How to check your site
This find this setting, go here:
- Log into your admin dashboard
- Click on Settings on the left menu
- Then click on General
- Find the membership option. Make sure “Anyone can register” is unchecked.
- Save any changes.

If this box was checked, you should then go to Users and then All Users. Review to see if there are any suspicious accounts that you do not recognize and delete them.
Does this mean I shouldn’t use Elementor?
This is a big NO. Keep using it. Elementor is software. WordPress is software. Fixing bugs and addressing security vulnerabilities that are found are simply part of the evolution of software. Virtually all software has bugs. Code maintenance is part of the process.
This is a good opportunity for me to bring up the point that regular WordPress maintenance is part of owning a website. It’s not optional or you are going to run into trouble.
I recently was in contact with someone who’s WordPress website was not working properly. Upon review, I saw quickly that it was infected with a virus. She was very upset when I told her that WordPress needs to be updated regularly or you risk getting hacked. She had a free theme installed that has been abandoned by the developer due to a vulnerability in October 2019. She got hacked due to this vulnerability. She told me the web designer only charged her a couple of hundred dollars to build the whole site and design a logo, but did not discuss WordPress security issues, or the need for regular maintenance. All I could say is “you get what you pay for”.
Website code is software. It needs to be maintained.
20,000 users have installed the OneTone theme. I’m sure there are not 20,000 active websites using it, but even if there are still a fraction of theme, that’s a lot of websites that will get hacked.
Hackers love when vulnerabilities like this are reported. They hear about it and can then exploit the issue on a massive scale quickly. They write scripts (call bots) that crawl the Internet finding websites that they can easily target and infect.
Often when I discuss the need for regular website maintenance with clients, they say “my site won’t get hacked” I don’t store credit cards or have anything of value. This is not a hackers mentality with website hacking though. Their goal is wreck havoc “just because”. Sometimes they are trying to exploit your site to send mass spam email or inject advertising or make money some other way.
If your site is using Elementor Pro and you’re not sure if you are vulnerable, get in touch and I will review.