One of the most common methods of WordPress hacking is to exploit plugin vulnerabilities.
Plugin vulnerabilities can range from serious to minor, such as a link in a spam email that redirects the user.
In this article, we will discuss the most serious vulnerability, called “arbitrary file upload,” which allows external parties to upload files directly to your server, and how to prevent it.
The danger of Arbitrary file upload (file upload vulnerability) and what it can do
All WordPress plugins that can be downloaded from the official website are under the GPL, a free license that allows anyone to read the code.
Plugin vulnerabilities are constantly being discovered and shared online by people including security companies and various hackers. Although it rarely comes up, a vulnerability that allows an external file to be uploaded is a prime target for hackers when it is discovered in a plugin that has many users. In fact, many sites continue to use plug-ins that contain such vulnerabilities.
Vulnerabilities that have not yet been shared publicly are called 0Day, and are sometimes fetched at high prices in the hacker world.
For example, if the following code is included somewhere in a plugin, hackers can upload any program file they want to the server. (The actual code is more complex, but we have simplified the code to describe it)
if(isset($_POST['setting']) && isset($_POST['filename'])){
$file = $_POST['filename'];
file_put_contents($file, $_POST['setting']); }
}
This code has multiple vulnerabilities, such as not inspecting the received data for validity, being independent of WordPress functions, and not handling the avoidance (escaping) of invalid strings, but programmers can make a simple mistake and leave code like this in place somewhere The programmer could have made a simple mistake and left this code somewhere.
Arbitrary file upload vulnerabilities allow the following unauthorized activities on the server
Read database information by outputting the contents of wp-config.php to text.
Browsing the database to add more users or change the password of an existing user with administrator privileges
Installing a spam email delivery program
Embedding virtual currency discovery code into your site
Embed code that directs site users to another site
Embed virus distribution code
ETCs
We think it is safe to assume that a single vulnerability like this puts everything that can be done on the server and everything that can be done in WordPress in the hands of hackers.
How can we prevent hackers from taking advantage of plugin vulnerabilities?
1 Check for plugin vulnerabilities
First, check your site for plugin vulnerabilities. You can search for your plug-ins here or check for vulnerabilities in our services below.
WordPress Doctor Vulnerability Scanner
2 Hide Plugin Version
Hackers exploit vulnerabilities in their preliminary research by looking at the plugins used and the versions of those plugins.
We have created a Malware Scanning & Security plugin that allows you to hide WordPress and plugin versions. We hope you will use it.
3 Do not output the Index list
If an Index file does not exist in a given folder, the server automatically generates and outputs a list of files contained in that folder.
The reason why it is dangerous to output an Index list is that search engines will pick up the list containing the paths in this folder and search results will appear when searching for a specific string of characters.
Hackers use this technique to find targets to attack. (This technique is called Dork.)
We have created a Malware Scanning & Security plugin that allows you to disable the output of the Index list.
4 Always inspect your server for malicious files or code uploaded into it!
The code that hackers upload is obfuscated and generally done on a large scale for multiple sites, so there is some commonality.
WordPress Doctor Malware Scanner is constantly updating its database with those common codes and can detect the latest malware code patterns.
It also has the ability to scan automatically in the middle of the night, so if malicious code is uploaded, it can be detected within 24 hours, helping to recognize site tampering in a short period of time.
5 Remove unused plug-ins
Certain plug-ins can take advantage of vulnerabilities by accessing files directly, even if the plug-in is not enabled.
Even if a plugin is not enabled, if it is not updated or used, removing it will reduce the risk of hacking.
6 Updating Plug-ins
We recommend that you update your plug-ins as often as possible. In this case, the latest plug-ins may have resolved the vulnerability, and the vulnerability has not yet been discovered.
Please use the free WordPress security enhancement plugins that can detect the latest malware.
