Wp-config.php security leak – hundreds of blogs hacked
**Important update below
Dark Reading has reported that hundreds of WordPress blogs have been hacked over the past week do to improperly chmod-ed wp-config.php files. The vulnerabilities were a result of owner hosting provider negligence and not faulty WordPress software.
All of the blogs affected were hosted by Network Solutions. The attacker used a type of scanner that extracts information from wp-config.php that have read and write privileges open for group and public, according to Sucuri Security Labs which has been working with Network Solutions.
Network Solutions has now cleaned up the infected blogs and stopped the attacks by changing database passwords for WordPress. The hosting provider recommends that WordPress users log into their accounts and change their administrative passwords, as well as delete any administrative access accounts they don’t recognize.
Securing the WordPress wp-config.php file
The wp-config.php is a file contained in the root of the WordPress file directory which contains the login information for WordPress to connect to MySQL database[s] as well as table prefix, secret keys, WordPress language and ABSPATH.
Sometimes people neglect to check the file permissions for wp-config.php after installing WordPress. ALL files, especially wp-config.php, should have permission attributes set to 644 (Except for wp-config.php which should be set to 640. That will return a “403 Forbidden” error for all external requests); all directories should be set to 755; all theme files should be 666 (if you would like to use the WordPress built-in theme file editor).
If you are using an FTP client like FileZilla, you can easily change file permissions by right clicking on the file and then selecting File Permissions. A dialog box called “Change file attributes” should pop up.
Moving wp-config.php one directory above the WordPress install will further enhance security for the file. This can only be done after WordPress is already installed. Additional security measures are laid out in the Hardening WordPress doc.
Update 4/13/10 4:00 PM – Mullenweg comments
WordPress founder Matt Mullenweg personally addressed the issue of WordPress blogs (hosted on Network Solutions) being hacked.
WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?
Apparently the WordPress hacks on Network Solution-hosted blogs were a result of host provider negligence and not client negligence OR bugy WordPress installs.
A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.
Thanks for straightening that out Matt. It didn’t quite make sense that all of the WordPress blogs exploited had incorrect file permission settings.
Tags: blog security, security
:O I didn’t know about this. Recently I came to know that CERT has also issued a high alert for Cyber Attacks
As far as I know, WordPress is giving liberty in file permission to make sure that wordpress will not have any issue with any web-hosting…
Thanks, I have been looking around trying to figure out what my wp-config should be set at … much appreciated!
most blog owner will not know what user running webserver.
chmod to 644 will always make sure the webserver can read wp-config.php. So you can chmod 640 if the files owned by webserver. even 600 is ok.
this problem in Network Solutions is the case of internal user who own probably one of these blog. This user knows where the path to wp-config.php in filesystem. and he can create a php file that read wp-config.php file in his browser.
for outside user, this not possible if the file is 640.
Thanks for this security tips. Because of too much automation, we often neglect to set the right CHMOD for the wp-config.php file. So it’s 640.
[...] sudan da vinci code gangs of new york gangs of new york migraine rpm the social network This entry was posted in Uncategorized. Bookmark the permalink. [...]
[...] of this behaviour happened in 2010 when hundreds of WordPress installations were hacked due to a defective configuration of a shared hosting by Network Solutions, that allowed the hackers to access the data from other [...]
I was still looking to make my wordpress blog more secure and this article solved my problme Thanks for sharing.
This is a serious problem and an invisible threat to diabetics. There’s no way to trace who committed the crime. I first learned about the hacking controversy here: http://blogs.carouselindustries.com/security/security-breach-roundup-2-banks-2-schools-and-an-insulin-pump Turns out that the companies are turning a blind eye. However, the same can’t be said for citigroup and other financial institutions even though those don’t necessary result in death.