14

I've seen a site that has been attacked by uploading php scripts (presumably some sort of shell, or code that loads a shell) to Wordpress' wp-content/uploads directory. Usually this directory is used for user uploaded content like photos etc. This particular server was configured to then run the malicious scripts for any user on the Internet (with knowledge of the correct URL).

How does this work? How would the cracker get wordpress to place the php file in the uploads directory without a user account? I this just the infamous and inspecific "yeah, wordpress is not secure" type of problem?

Thomas
  • 243
  • 1
  • 2
  • 6

3 Answers3

13

I wouldn't say that the root cause of the problem is Wordpress, but rather the fact that:

  • There is so many themes/plugins for Wordpress available from 3rd party developers, and people usually don't audit them before installing them. Since the entry barrier for PHP is very low, a lot of those 3rd party developers have no/poor IT security knowledge

I think one of the most possible scenario is where a Wordpress setup is configured with a plugin/theme which allows anonymous uploads. One example is the Clockstone Theme upload.php Arbitrary File Upload Vulnerability.

Basicly, you

  1. Need to make sure unauthorized/anonymous uploads are not allowed
  2. Move uploaded files out of the web root directory
  3. Verify the content to make sure only what you expect gets uploaded and saved

The page on Unrestricted File Upload on the OWASP web site has some very good explanations on the subject.

Jean-François Rioux
  • 589
  • 5
  • 10
  • 1
    Moving the uploaded files out of the web root directory isn’t that good as in most cases you want to be able to download them. So instead of having another script that you can download the uploaded files, you could also reject `.php` files entirely (Wordpress’s upload utilities do that already, but plugins can implement their own upload), or disable PHP inside the upload directory. – Gumbo Apr 05 '14 at 22:26
  • 3
    I wonder why "Better WP Security" does not suggest to disable php in the upload directory. It seems like such a basic security measure... should be default in Wordpress even. – Thomas Apr 08 '14 at 20:03
  • Good answer (+1) Remote File Inclusion (RFI) attacks often enabled by themes. Themes with TimThumb related functionality are the most common suspect, still responsible for over 58% of all RFIs in 2013. – Igal Zeifman May 01 '14 at 11:26
5

I agree that the plugins and themes can be problematic, but want to add three more suggestions relating to the use of plugins:

  1. You should make sure you're running the latest version of WordPress AND plugins.
  2. Go through your plugins and delete anything you really don't need. Try and replace plugins with code wherever possible.
  3. Be more choosy about downloading plugins (who made it, when, and how often is it updated).

3rd party developers, while maybe initially missing security issues, do offer updates to cover security problems - but part of the responsibility also lies with the WP user. I ignored updates because they made more work for me in the short term, but in the long run made a lot of problems.

This is advice from a consultant we hired to help us secure our websites after our .php files were hacked.

Rae
  • 203
  • 1
  • 7
  • We were following this advice, one affected blog had only two plugins which were "Better WP Security" and "Akismet". The themes could be coulprit, though. It's also hard to say when the upload happened. Better WP Security reported the "new files" but then it turned out that there were many more with the same hash unreported. It seems that the attackers could not do anything with the uploaded files. No rootkit was installed, not traces in the database, just these files were present. – Thomas Apr 08 '14 at 19:58
4

Create a blank file in a text editor. Call it .htaccess and paste the following code in there:

<Files *.php>
    deny from all
</Files>

Now upload this file in your /wp-content/uploads/ folder.

Code Explanation: This code checks for any PHP file and denies access to it.

Community
  • 1
Paul S.
  • 41
  • 2
  • 2
    Welcome to Stack Exchange! Although this is a possible answer to the problem, it does not answer the question - how do the crackers upload these files in the first place? – S.L. Barth May 16 '15 at 16:23
  • While we appreciate your exactness, S.L. Barth, you should allow a little leniency, because behind every "how" question there is intent, in this case the "how" can lead to the solution and in that regard this is part of a possible answer. Please help keep stackoverflow useful practically, as well as theoretically... – Dagelf Apr 25 '18 at 12:51