Wednesday, 27 April 2016 18:34

2015 Wordpress Vulnerability

Written by
Rate this item
(0 votes)

The recent wordpress security alert advised users to upgrade to the latest version of wordpress, and published a list of those plugins that wordpress thought vunerable. Users are advised to upgrade as soon as possible. In this particular case, keeping your plugins and wordpress up to date would not have protected you from infection. The core issue was a poorly documented subroutine/api which led developers to believe that they did not need to clean the parameters in the url (which can be used by hackers to execute commands on the webserver). The exploit can be used to  leave behind nasty backdoors and malware which they can activate at their leisure - so the infection won't necesarily be caught by a malware checker.

We also found that many modifications to plugins and themes performed by web developers were also vulnerable to the security issue. Simply upgrading to the latest version of wordpress and plugins won't necessarily help you if your site has already been infected. So how do you know if it has and what can you do about it. The only real way of protecting yourself is to reinstall wordpress and all your plugins from scratch, install your theme (after checking it for infection), and import your data (after checking it for compromised comments etc). Thats going to be a long and expensive process - particularly if you have a big site.

We upgraded wordpress and plugins in a timely fashion on a shared VPS with about 10 wordpress sites on it, and then went looking at modifications to plugins done by others and themes. We found that even after the upgrade the sites were compromised and in our particular case it was a PHP injection attack. We cleansed it by searching every php file for the pattern of the attack and removing the offending code, we also scheduled a search for the pattern every hour so we can see if we are still vulnerable. We then went looking on our dedicated VPS's and found exactly the same issues. We then had to reinstall wordpress from scratch on every site just to be sure that no trace of the infection was left behind.

The pattern we found was a PHP injection attack, that may not be the same for everyone, and it looks like it should be there. Look for "Speedup php function cache" in all php files the function uses base64 to inject whatever code the hacker likes into your php files.

A Strong message to all developers always always escape input/uri from whatever source (<input>, GET, Server variables, URI's) even if you think its safe and been escaped before.

Read 441 times


Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Help Us
Get Better
Invalid Name Invalid Email Address Invalid Mobile Invalid characters in Messages
Please help us improve, leave some feedback on our site, products, or products you'd need that we don't provide. We promise to respond to all feedback.