I have been, or can be if you click on a link and make a purchase, compensated via a cash payment, gift, or something else of value for writing this post. Regardless, I only recommend products or services I use personally and believe will be good for my readers.
I read today* about a vulnerability in Revolution Slider. This is a very popular plugin, and is bundled with the 2nd most popular theme on Theme Forest, X | The Theme.
If you see in your server access logs:
wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Then your site has been attacked (not necessarily compromised). If successful, the attacker now has your MySQL database login and may be able to do just about anything they want with your site.
What you should do right now
Upgrade the Plugin
First, upgrade the plugin! If you’re running version 4.1.4 or older, you need to upgrade. If you are using a theme which has Revolution Slider included, and the theme hasn’t been updated, you need to get the plugin and upgrade it.
Add to .htaccess
Next, there are some lines you can add to your .htaccess file to make it more secure. Your existing file looks something like this:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
If you add the following lines, you’ll block any requests that contain “wp-config” in the query string (everything after the “?” in the URL)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule .* - [F]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
I’m a big fan of using htaccess to block certain parts of WordPress. Here’s some of what I use:
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?ericnagel\.com [NC]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
RewriteCond %{REQUEST_URI} ^/(.*)?xmlrpc\.php(.*)$
RewriteRule .* - [F]
RewriteCond %{QUERY_STRING} environ [NC]
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/wp\-content\/uploads\/(.)*\.php
RewriteRule .* - [F]
RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule .* - [F]
What this does is
- only allow POSTs from my own site (you’ll change “ericnagel.com” to your own domain)
- block any requests to xmlrpc.php (if you don’t use it, block it)
- block any request with environ in the query string (this is from an old attack – just block it)
- block any requests to .php files that have been uploaded (if a hacker manages to upload a script to your wp-uploads folder, they won’t be able to execute it via the web)
- block any requests that has wp-config.php in the query string
Lock Down MySQL
Finally, change your MySQL password and make sure that the database is only accessible to your web server. There’s no reason to allow anyone (%) with your MySQL username and password to connect. If your MySQL database is on the same server as your web server, use “localhost”; otherwise, use the web servers name.
Generate New Authentication Unique Keys
Go to https://api.wordpress.org/secret-key/1.1/salt/ and generate new Authentication Unique Keys, and paste these lines over the existing lines in your wp-config file. Since a successful attack has revealed these values, it’s best to reset them.
You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
Looking Forward
Open Source software is awesome because anyone can see how it works, modify it, and expand on it. But it also allows for attackers to find vulnerabilities and exploit them.