WordPress.org

Ready to get started?Download WordPress

Forums

URGENT SECURITY VULNERABILITY WITH PLUGINS & THEMES (10 posts)

  1. Peter vanDoorn
    Member
    Posted 3 years ago #

    For the past few weeks now I have been seeing a constant stream of 404 errors on one of my sites for the same type of file. Each one is trying to find a file called readme.txt in all manner of different plugins and themes, none of which I have ever installed.

    Having read up on WordPress exploits, it seems to me that my site is being trawled in the hope of finding an actual readme.txt file, into which code can be inserted and then run in order to hijack the site.

    Since this is a known method of code insertion, it would seem to me that it would be very easy to remove this weak-point by WordPress mandating that no plugins or themes have .txt files, or at the very least make sure that none are using the name readme.txt or any other predictable name.

    I strongly believe that this is something that the dev team should look into implementing as soon as they can and, furthermore, to require that all plugins and themes that are hosted in the WordPress.org repositories remove these files or be rejected.

    Thanks for reading this

    Peter

    PS: Yes, I have followed all of the advice and locked my site down as best I can and (he says, holding a very large piece of timber) so far none have succeeded!

  2. Rev. Voodoo
    Volunteer Moderator
    Posted 3 years ago #

    What good would that do?

    WordPress is installed on how many servers?

    So all a hacker needs to do is download the newest copy of wordpress, and they know ALL the file names you have. They can just scan the webz for wordpress installs, won't take long to find one.

    SAme goes for plugins, or themes, etc.

    So if a server is configured in a manner which is going to allow a readme.txt file to be altered, it would also allow any of those other files to be altered.....

    I'm not an expert, just trying to understand what benefit this would give? I'm open to learning!

  3. Peter vanDoorn
    Member
    Posted 3 years ago #

    You're right, but I'm seeing so many 404 errors for the same file name that it's obvious that someone has identified this as being a weak point in WordPress.

    What someone is doing is hitting my server for a file called readme.txt that might be installed. So, they have a long list of plugin and theme names that they are working through, hoping that eventually they will strike lucky. If no plugin has a readme.txt file, but rather a file with a more random name, then that task becomes a little more difficult.

    Sure, it won't fix things overnight, but my point is that, going forward, this will become less of an issue as people update their plugins/themes. WordPress could even force the issue - update your code on the repository or we dump it.

    Obviously I've done the sensible thing and deleted all of these readme.txt files manually. But they are replaced with an update.

    Maybe I'm over-reacting, but if there's an easily-identifiable security hole then I think it should be brought to everyone's attention!

    Peter

  4. You DO understand that the readme.txt file is ONLY a security hole if your SERVER is insecure?

    I mean, here. http://ipstenu.org/wp-content/plugins/akismet/readme.txt -- Knock yourself out.

    The bots are trolling not for the txt files, but for a server with insecure permissions AND that file. Also of note? They look for wp-config.php, index.php and readme.html -- ALL of which exist on 99.9999999% of WP installs.

    This isn't a security issue in WP.

  5. Also, in text files code isn't parsed, so I'm not sure how you think someone might hack your site by leaving text.

  6. Peter vanDoorn
    Member
    Posted 3 years ago #

    andrea_r: php's eval() function will attempt to execute what it is given as a php command. This can be the contents of a txt file.

    Everyone else: Yes, I appreciate that whether you are vulnerable is up to your server's security. Mine, I hope, is locked down pretty well. I'm not talking about ME!

    The point is that code can be hidden on an unsecure server in an unrelated text file and you probably wouldn't even notice.

    Since it would appear that this IS happening, I would suggest that it is common sense for WordPress to remove this avenue.

    And, yes, it IS a WordPress issue. No, it's not an issue with the actual WP code, but since WP is very popular it's an issue that they should be more proactive about IMHO!

  7. Rev. Voodoo
    Volunteer Moderator
    Posted 3 years ago #

    @petervandoorn How do you envision this working?

    All the millions of WP installs have all the exact same files on their servers.

    How would we ensure that only the good people know the file structure?

    I just don't understand how removing readme.txt files helps anything when everyone in the world has access to a full list of every file that exists in a core WP install......

  8. The point is that code can be hidden on an unsecure server in an unrelated text file and you probably wouldn't even notice.

    Well. Yes. And THAT point goes right back to 'It's not WP, it's your SERVER.'

    Look. If you install a bad plugin, or get hacked, and your server is insecure enough to permit such things, then YES, you could have serious issues. That sort of security 'hole' could happen on a site running barebones HTML, or WordPress, or Drupal, or ASP or anything you can come up with. Which is why I reiterate:

    It is NOT WordPress's job to be your nanny. If you can't take care of your own site, or your host can't, then you need to get help. Running a website is work, and it takes knowledge you must learn. Much as learning to DRIVE safely was something that took time, so does this.

    Furthermore, since the security 'hole' is agnostic (bad code can happen on any server, regardless of what app you run), it's not something that logically any one app CAN prevent for all things.

    Read:
    http://codex.wordpress.org/Hardening_WordPress
    http://ottopress.com/2011/scanning-for-malicious-code-is-pointless/

  9. Ron Rennick
    MultiSite Guru
    Posted 3 years ago #

    The hackers are trying to find if you have plugins or themes installed in which there was a vulnerability at one point or other.

    Once they find a vulnerable plugin/theme then they use the vulnerability to hack into your site.

    They cannot hack in through a .txt file.

  10. Eyecool
    Member
    Posted 3 years ago #

    Peter, when in doubt: http://sitecheck.sucuri.net/scanner/

    Also, if you include a link to your site producing the errors, you're more likely to get a working answer.

    Bonus if you include helpful details, like what webserver you're running and which theme you're using. One less step for the good guys trying to help.

    Hope your scan reveals a clean bill of WordPress health!

Topic Closed

This topic has been closed to new replies.

About this Topic