Dec.16

Revolution Slider Security Hole (and Fix)

If you see in your server access logs:

wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

Then your site has been attacked (not necessarily compromised). If successful, the attacker now has your MySQL database login and may be able to do just about anything they want with your site.

What you should do right now

Upgrade the Plugin

First, upgrade the plugin! If you’re running version 4.1.4 or older, you need to upgrade. If you are using a theme which has Revolution Slider included, and the theme hasn’t been updated, you need to get the plugin and upgrade it.

Add to .htaccess

Next, there are some lines you can add to your .htaccess file to make it more secure. Your existing file looks something like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

If you add the following lines, you’ll block any requests that contain “wp-config” in the query string (everything after the “?” in the URL)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule .* - [F]

RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

I’m a big fan of using htaccess to block certain parts of WordPress. Here’s some of what I use:

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?ericnagel\.com [NC]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$
RewriteRule ^(.*)$ - [R=403,L]

RewriteCond %{REQUEST_URI} ^/(.*)?xmlrpc\.php(.*)$
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING} environ [NC]
RewriteRule .* - [F]

RewriteCond %{REQUEST_URI} ^/wp\-content\/uploads\/(.)*\.php
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule .* - [F]

What this does is

  • only allow POSTs from my own site (you’ll change “ericnagel.com” to your own domain)
  • block any requests to xmlrpc.php (if you don’t use it, block it)
  • block any request with environ in the query string (this is from an old attack – just block it)
  • block any requests to .php files that have been uploaded (if a hacker manages to upload a script to your wp-uploads folder, they won’t be able to execute it via the web)
  • block any requests that has wp-config.php in the query string

Lock Down MySQL

Finally, change your MySQL password and make sure that the database is only accessible to your web server. There’s no reason to allow anyone (%) with your MySQL username and password to connect. If your MySQL database is on the same server as your web server, use “localhost”; otherwise, use the web servers name.

Generate New Authentication Unique Keys

Go to https://api.wordpress.org/secret-key/1.1/salt/ and generate new Authentication Unique Keys, and paste these lines over the existing lines in your wp-config file. Since a successful attack has revealed these values, it’s best to reset them.

You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.

Looking Forward

Open Source software is awesome because anyone can see how it works, modify it, and expand on it. But it also allows for attackers to find vulnerabilities and exploit them.

How To & Tips
Share this Story:
  • facebook
  • twitter
  • gplus

Leave a comment

Comment