WordPress.org

Ready to get started?Download WordPress

Forums

/upgrade directory vulnerability (3 posts)

  1. Barcode99
    Member
    Posted 2 years ago #

    Not sure where to post it, but is there a reason that there is no index.php file in /wp-contents/upgrade directory?

    we were hacked few times already until figured out to put index file there. any idea what is the reason to set it up like this. everyone; just try http://www.yourdomain.XXX/wp-content/upgrade/

    it lists a content of this folder

  2. Just not having an index.php there won't cause you to get hacked, nor will putting one there solve that.

    In your Apache web server configuration you want to add AllowOverride All and -Indexes.

    <Directory />
       Options -Indexes
       AllowOverride All
    </Directory>

    That Options line will turn off the ability to view directory contents like that. The AllowOverride permits things like fancy permalinks work.

    Make sure you make a backup copy of any file you edit first. If you make a typo here, then your web site will stop working and that backup copy will save you lots of grief.

    As for the hacked site:

    Start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/

    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    http://www.studiopress.com/tips/wordpress-site-security.htm

  3. threestyler
    Member
    Posted 2 years ago #

    Once WordPress completes the upgrade the contents is removed. So it should be an empty directory.

    So the next time you install an update your index file will also be removed leaving an empty directory again.

    If you're being hacked I would put money on it being absolutely nothing to do with the upgrade folder but more than likely an outdated or poorly coded plugin.

Topic Closed

This topic has been closed to new replies.

About this Topic