{"id":1574,"date":"2013-09-30T12:26:37","date_gmt":"2013-09-30T16:26:37","guid":{"rendered":"http:\/\/cd34.com\/blog\/?p=1574"},"modified":"2014-12-13T19:29:19","modified_gmt":"2014-12-14T00:29:19","slug":"making-things-a-little-more-difficult-to-run-exploits-on-compromised-wordpress-sites","status":"publish","type":"post","link":"https:\/\/cd34.com\/blog\/web-security\/making-things-a-little-more-difficult-to-run-exploits-on-compromised-wordpress-sites\/","title":{"rendered":"Making things a little more difficult to run exploits on compromised WordPress sites"},"content":{"rendered":"

I was called in to fix a number of WordPress sites that had been hacked. Many were running older versions of WordPress and thankfully weren’t running SetUID<\/a>, so, the damage was limited to exploit scripts running in some of the world writeable directories.<\/p>\n

After cleaning up the sites, upgrading them to the latest version<\/a> of WordPress and scanning for additional exploits, I added a number of rules to each of the Apache VirtualHost configs on his server.<\/p>\n

\r\n<Directory \/var\/www\/domain.com\/wp-content\/uploads\/>\r\nAllowOverride none\r\nRemoveHandler .cgi .pl .py\r\n<FilesMatch \"\\.(php|p?html?)$\">\r\n  SetHandler none\r\n<\/FilesMatch>\r\n<\/Directory>\r\n\r\n<Directory \/var\/www\/domain.com\/wp-content\/cache\/>\r\nAllowOverride none\r\nRemoveHandler .cgi .pl .py\r\n<FilesMatch \"\\.(php|p?html?)$\">\r\n  SetHandler none\r\n<\/FilesMatch>\r\n<\/Directory>\r\n<\/pre>\n
These rules need to be placed in the VirtualHost configuration and prevent PHP, cgi scripts, Perl and Python files from being executed in the two directories that WordPress is allowed to write to. To prevent other tampering, we disallow Overrides which prevents hackers from creating a directory and including their own .htaccess that would enable PHP or CGI to be parsed.<\/p>\n
Since making these changes, we’ve seen a few files dropped into the uploads directory, but, none have been executable.<\/p>\n
\n
<\/div>\n<\/fb:like>\n<\/div>
<\/div>","protected":false},"excerpt":{"rendered":"
I was called in to fix a number of WordPress sites that had been hacked. Many were running older versions of WordPress and thankfully weren’t running SetUID, so, the damage was limited to exploit scripts running in some of the world writeable directories. After cleaning up the sites, upgrading them to the latest version of […]<\/p>\n
\n
<\/div>\n<\/fb:like>\n<\/div>
<\/div>","protected":false},"author":15,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[137],"tags":[181,159,26],"class_list":["post-1574","post","type-post","status-publish","format-standard","hentry","category-web-security","tag-apache2","tag-htaccess","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/posts\/1574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/comments?post=1574"}],"version-history":[{"count":2,"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/posts\/1574\/revisions"}],"predecessor-version":[{"id":1576,"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/posts\/1574\/revisions\/1576"}],"wp:attachment":[{"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/media?parent=1574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/categories?post=1574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cd34.com\/blog\/wp-json\/wp\/v2\/tags?post=1574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}