Wp-config.php security leak – hundreds of blogs hacked
**Important update below
Dark Reading has reported that hundreds of WordPress blogs have been hacked over the past week do to improperly chmod-ed wp-config.php files. The vulnerabilities were a result of owner hosting provider negligence and not faulty WordPress software.
All of the blogs affected were hosted by Network Solutions. The attacker used a type of scanner that extracts information from wp-config.php that have read and write privileges open for group and public, according to Sucuri Security Labs which has been working with Network Solutions.
Network Solutions has now cleaned up the infected blogs and stopped the attacks by changing database passwords for WordPress. The hosting provider recommends that WordPress users log into their accounts and change their administrative passwords, as well as delete any administrative access accounts they don’t recognize.
Securing the WordPress wp-config.php file
The wp-config.php is a file contained in the root of the WordPress file directory which contains the login information for WordPress to connect to MySQL database[s] as well as table prefix, secret keys, WordPress language and ABSPATH.
Sometimes people neglect to check the file permissions for wp-config.php after installing WordPress. ALL files, especially wp-config.php, should have permission attributes set to 644; all directories should be set to 755; all theme files should be 666 (if you would like to use the WordPress built-in theme file editor).
If you are using an FTP client like FileZilla, you can easily change file permissions by right clicking on the file and then selecting File Permissions. A dialog box called “Change file attributes” should pop up.
Moving wp-confog.php one directory above the WordPress install will further enhance security for the file. This can only be done after WordPress is already installed. Additional security measures are laid out in the Hardening WordPress doc.
Update 4/13/10 4:00 PM – Mullenweg comments
WordPress founder Matt Mullenweg personally addressed the issue of WordPress blogs (hosted on Network Solutions) being hacked.
WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?
Apparently the WordPress hacks on Network Solution-hosted blogs were a result of host provider negligence and not client negligence OR bugy WordPress installs.
A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.
Thanks for straightening that out Matt. It didn’t quite make sense that all of the WordPress blogs exploited had incorrect file permission settings.
Related posts
Tags: blog security, security
:O I didn’t know about this. Recently I came to know that CERT has also issued a high alert for Cyber Attacks
As far as I know, WordPress is giving liberty in file permission to make sure that wordpress will not have any issue with any web-hosting…
Thanks, I have been looking around trying to figure out what my wp-config should be set at … much appreciated!