Making things a little more difficult to run exploits on compromised WordPress sites
I was called in to fix a number of WordPress sites that had been hacked. Many were running older versions of WordPress and thankfully weren’t running SetUID, so, the damage was limited to exploit scripts running in some of the world writeable directories.
After cleaning up the sites, upgrading them to the latest version of WordPress and scanning for additional exploits, I added a number of rules to each of the Apache VirtualHost configs on his server.
<Directory /var/www/domain.com/wp-content/uploads/> AllowOverride none RemoveHandler .cgi .pl .py <FilesMatch "\.(php|p?html?)$"> SetHandler none </FilesMatch> </Directory> <Directory /var/www/domain.com/wp-content/cache/> AllowOverride none RemoveHandler .cgi .pl .py <FilesMatch "\.(php|p?html?)$"> SetHandler none </FilesMatch> </Directory>
These rules need to be placed in the VirtualHost configuration and prevent PHP, cgi scripts, Perl and Python files from being executed in the two directories that WordPress is allowed to write to. To prevent other tampering, we disallow Overrides which prevents hackers from creating a directory and including their own .htaccess that would enable PHP or CGI to be parsed.
Since making these changes, we’ve seen a few files dropped into the uploads directory, but, none have been executable.
February 4th, 2014 at 11:54 am
I was wondering. How about you change the “Directory” tag for a “DirectoryMatch” instead?
Using something like:
DirectoryMatch “^/.*/wp-contents/uploads/”
Would make the blocks re-usable in all your WordPress vhosts.