Security researchers from WordFence, a company that focuses on securing WordPress, have reported a number of old-school attacks based on your WordPress configuration data.
In a standard installation of WordPress, the configuration file wp-config.php should not be accessible to outsiders, regardless of whether you installed it yourself or use a hosted service.
That’s a good thing, considering how WordPress describes the file itself:
One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root directory of your WordPress directory and contains the basic configuration details of your website, e.g. B. Database connection information.
Since any PHP code you enter in wp-config.php runs every time your website processes a request, it’s an obvious target for attackers to make changes, but it’s also a coveted gift for cybercrooks, though they can access it at all.
Normal WordPress requests that come in from outside are limited to the part of your WordPress installation in which your site data is located. In theory, it is therefore impossible to create a URL that goes from the directory in which your public data is located to the directory in which your public data is located above and upwards configuration files and internal data of your site.
WordPress itself is very keen to detect malicious URLs that are trying to get the system to visit unexpected parts of the filing system, and directory traversal exploits are rare these days.
However, if you’ve installed a forgotten plugin or neglected WordPress theme, the code it contains may contain a bug that could allow an attacker to read prohibited files anyway, for example by tricking a plugin into placing confidential content in one of them the response you have created.
WordFence researchers say that almost a million different WordPress sites have received malicious requests last month to get rid of their wp-config.php files.
We believe that these attacks were orchestrated using a botnet, also known as zombie malware, as the list of computers involved in the attack lists more than 20,000 different IP numbers.
Bots or zombies are malware-infected computers that regularly – and usually very quietly – call one or more command-and-control servers (C&C) operated by crooks.
By calling outbound connections at home to get their malicious instructions and using innocent-looking traffic like web requests, bots also work in home networks and hosting companies where the provider blocks all or most of the inbound connections for legal or security reasons .
With 20,000 different IP numbers in the list, many of which are likely to be home computers with IP numbers that change every few days or after a restart, it is of course difficult to use a block list to ward off troublemakers as the list is one so moving target is.
In fact, crooks love bots not only because they’re hard to block quickly, but also because it means someone else pays for traffic and attempts to trace the attack back to its source end up in the wrong place – 20,000 different places , in this case.
What’s the risk?
As mentioned earlier, crooks who can overwrite your wp-config.php file can do pretty much anything they want because the code it contains runs on the server every time it is requested.
This means that a crook who can change the configuration file doesn’t have to wait until you restart WordPress or restart your server. He can simply visit the home page of your website.
But even with read access to your configuration file, a crook may be able to use the security information it contains to gain unauthorized access to your WordPress databases.
This means that an attacker could return later to steal sensitive data, add new users, and change or delete content.
What should I do?
WordPress can update itself. But don’t forget to check if it works properly even if you rely on the automatic update.
(Ironically, the easiest way to configure auto-updating is to use the wp-config.php file.)
WordPress can also update many plugins and themes for you …
… but not all of them.
Many plugins and themes either still need manual attention for updates, or are old and tired enough that they didn’t have updates, even though they contain bugs that crooks already know about.
Remember that less is more: if you are still using plugins or themes that are no longer in active development, check to see if you can do without them, or look for spare parts that are still in maintenance and get them Security fixes.