The WordPress security experts at Wordfence have spotted a new and increasingly widespread attack vector targeting newly created WordPress powered websites. If successful, the exploit allows hackers to salt your site with drive-by malware, pilfer sensitive data or even compromise your web server.
The cyber-attack is simple. Using automated tools, hackers scan for the URL /wp-admin/setup-config.php, the setup URL for new WordPress installs. If this URL is present and it contains a setup page, this tells a hacker that WordPress—the free, open source content management system used by about 25% of all websites—has recently been installed but is not yet configured. If no configuration file is present, this makes it easy for the hacker to take over not just the new WordPress website, but also potentially the entire hosting account and all other sites on that hosting account.
What Leads to a Vulnerable WordPress Installation?
If you unzip the WordPress ZIP archive into a directory on your hosting account, or perform a one-click install through a hosting provider, but don’t go on to complete the installation steps, you’re vulnerable to this attack. An attacker who scans your server for new WordPress installs can take control of your site by starting the configuration process and completing it maliciously.
In particular, they can specify the database name, username, and password, and the server that hosts the database. Then they give themselves admin access to your WordPress install. From there, they can use any of several methods to execute any PHP code they want within your hosting account. Typically, they’d gain access to all files and websites on your hosting account, nose around in any of the databases the WordPress installation has access to, and if possible access other application data.
How to Avoid the WordPress Hack
How can you protect yourself from this WordPress cyber security issue? The Wordfence blog post describes two processes for site owners:
- Scan your hosting account. Server admins and others providing WordPress hosting should scan their hosting accounts for vulnerable WordPress installs. If you navigate to the site’s base URL and are redirected to /wp-admin/setup-config.php, you know the site’s setup is incomplete. Alert those users to complete the setup immediately or remove the files.
- Monitor suspicious traffic. If you have an intrusion detection system (IDS), you can monitor traffic from your web servers to the Internet for any MySQL traffic. This could be a red flag that a hacker has compromised a WordPress site on your network using a bogus database on the web.
Hundreds of thousands of WordPress sites are hacked annually, mostly by automated methods. It doesn’t matter how big your company is or what business you’re in—you’re a target, and if you’ve left hackers an opening, they’ll go for it.
To find out more about how to keep your website safe from cyber-attacks, contact Pivot Point Security.
For More Information on WordPress Cyber Security:
- Sucuri’s Website Hacked Trend Report 2016
- How WordPress sites get hacked and preventive measures to take
- Have you patched this recently discovered zero-day flaw in WordPress?
- A survey of what attackers did with compromised WordPress sites
- An informative infographic on WordPress security