For the past few weeks now I have been seeing a constant stream of 404 errors on one of my sites for the same type of file. Each one is trying to find a file called
readme.txtin all manner of different plugins and themes, none of which I have ever installed.
Having read up on WordPress exploits, it seems to me that my site is being trawled in the hope of finding an actual readme.txt file, into which code can be inserted and then run in order to hijack the site.
Since this is a known method of code insertion, it would seem to me that it would be very easy to remove this weak-point by WordPress mandating that no plugins or themes have
.txtfiles, or at the very least make sure that none are using the name readme.txt or any other predictable name.
I strongly believe that this is something that the dev team should look into implementing as soon as they can and, furthermore, to require that all plugins and themes that are hosted in the WordPress.org repositories remove these files or be rejected.
Thanks for reading this
PS: Yes, I have followed all of the advice and locked my site down as best I can and (he says, holding a very large piece of timber) so far none have succeeded!
- The topic ‘URGENT SECURITY VULNERABILITY WITH PLUGINS & THEMES’ is closed to new replies.