I read today* about a vulnerability in Revolution Slider. This is a very popular plugin, and is bundled with the 2nd most popular theme on Theme Forest, X | The Theme.

*It took 3 months for the severity of this attack to go from discovery to me via a colleague. Probably partially due to the fact that I’m not on Twitter all the time, but I’m quite disappointed that Envato did not alert anyone who bought the plugin or one of the 1,197 themes with Revolution Slider embedded, warning them of this vulnerability.

If you see in your server access logs:

wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

Then your site has been attacked (not necessarily compromised). If successful, the attacker now has your MySQL database login and may be able to do just about anything they want with your site.

What you should do right now

Upgrade the Plugin

First, upgrade the plugin! If you’re running version 4.1.4 or older, you need to upgrade. If you are using a theme which has Revolution Slider included, and the theme hasn’t been updated, you need to get the plugin and upgrade it.

Add to .htaccess

Next, there are some lines you can add to your .htaccess file to make it more secure. Your existing file looks something like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

If you add the following lines, you’ll block any requests that contain “wp-config” in the query string (everything after the “?” in the URL)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule .* - [F]

RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

I’m a big fan of using htaccess to block certain parts of WordPress. Here’s some of what I use:

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?ericnagel\.com [NC]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$
RewriteRule ^(.*)$ - [R=403,L]

RewriteCond %{REQUEST_URI} ^/(.*)?xmlrpc\.php(.*)$
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING} environ [NC]
RewriteRule .* - [F]

RewriteCond %{REQUEST_URI} ^/wp\-content\/uploads\/(.)*\.php
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule .* - [F]

What this does is

  • only allow POSTs from my own site (you’ll change “ericnagel.com” to your own domain)
  • block any requests to xmlrpc.php (if you don’t use it, block it)
  • block any request with environ in the query string (this is from an old attack – just block it)
  • block any requests to .php files that have been uploaded (if a hacker manages to upload a script to your wp-uploads folder, they won’t be able to execute it via the web)
  • block any requests that has wp-config.php in the query string

Lock Down MySQL

Finally, change your MySQL password and make sure that the database is only accessible to your web server. There’s no reason to allow anyone (%) with your MySQL username and password to connect. If your MySQL database is on the same server as your web server, use “localhost”; otherwise, use the web servers name.

Generate New Authentication Unique Keys

Go to https://api.wordpress.org/secret-key/1.1/salt/ and generate new Authentication Unique Keys, and paste these lines over the existing lines in your wp-config file. Since a successful attack has revealed these values, it’s best to reset them.

You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.

Looking Forward

Open Source software is awesome because anyone can see how it works, modify it, and expand on it. But it also allows for attackers to find vulnerabilities and exploit them.

Leave a Reply

Your email address will not be published. Required fields are marked *

*