Arbitrary File Deletion Flaw Present in WordPress Core

The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server.

This post is Copyright 2018 Defiant, Inc. and was published on the official blog. Republication of this post without permission is prohibited. You can find this post at:

By exploiting this arbitrary file deletion vulnerability, malicious actors can pivot and take control of affected sites. The report contains the complete details of the vulnerability, but we’ve summarized it for more casual consumption.

It’s important to note that while the impact of this flaw can be severe on affected sites, the requirement that attackers secure valid Author-level credentials greatly limits the overall attack surface of this vulnerability.

Vulnerability Summary

In a standard WordPress installation any logged-in user with a role of Author or higher has the ability to upload media attachments and edit their metadata, like images and their descriptions. A flaw in the process of updating attachment metadata allows a malicious user to submit unsanitized input in defining a thumbnail for the media file. By defining relative paths to targeted files as the “thumbnail” of an image, these files would be deleted alongside the actual thumbnails when the image is deleted from the media library.

Several potential consequences of an arbitrary file deletion vulnerability were discussed in the disclosure report but, most critically, a site’s wp-config.php file can be deleted. With no wp-config.php in place, WordPress is forced to assume that a fresh installation is taking place. From this point, the attacker can configure their own WordPress installation with themselves as an administrator, which they can then use to upload and execute any other scripts they wish.

What To Do

Until an official update is released to patch the flaw, we’ve pushed an update to the Wordfence firewall to prevent this vulnerability from being exploited. Premium Wordfence users will have received the update before this article publishes, while free users will receive it thirty days later.

In the absence of the protection of our firewall, remember that an attacker must have access to a user account with Author permissions or higher. While this does strictly limit the attack surface of this vulnerability, be advised that credential stuffing attacks have increased in value, as there are now a larger pool of active accounts with the effective ability to take down a site. Wordfence includes robust login security features, including leaked password protection which we released in March.

Please help create awareness of this vulnerability in the WordPress community, because many WordPress site owners are not aware of the risks of unsecured ‘Author’ level accounts.

The post Arbitrary File Deletion Flaw Present in WordPress Core appeared first on Wordfence.


Do You Need a WordPress Security Plugin?

At Wordfence we are a big team these days with millions of customers, and we think about security all day long. Sometimes we can get deep down the proverbial rabbit hole and forget about the basics.

I recently overheard someone asking “Do I really need a WordPress security plugin?” and I realized this is a perfectly valid question. If you are not in the security industry, you might ask it.

I know that many of you are well versed in security already – and WordPress security in particular. Perhaps that is why you are reading this post or subscribe to our mailing list. What I would like to provide you with in this post is a way to answer the question of “Do I need a WordPress security plugin?” to friends, family and colleagues that is both enlightening and easy to understand.

If you are new to WordPress, I hope this post helps increase your understanding of WordPress security.

Physical Security compared to WordPress Security

Many people think about WordPress security in the same way that they think about physical security in the real world. In the physical world, we might build a facility like a bank that needs to be secured. We build barriers to entry and access controls as part of the construction project.

Once the project is complete, we have a secure facility with walls, gates, secure entry and exit, cameras, access controls and human personnel to implement security procedures as people enter and exit. The physical construction does not change much over time, once the project is completed.

You are unlikely to discover that the concrete you used to build a wall for your bank is now vulnerable and needs to be replaced. A wall is still difficult to penetrate and a locked gate with a guard is going to still be quite effective a few months from now.

It is easy to make the mistake of thinking about WordPress security in the same way. If you install software that is secure to power your WordPress website and you implement good security policy and controls, one might think a website would behave in the same way. In other words, one might think a secure website today should be secure a few months from now if it doesn’t change.

That is not the case and I’m going to explain why. If you build a website using the newest software that has been verified to be secure and you implement good security policy, your website does not change, but the environment it is operating in changes. Attackers continually research the software that powers your website and vulnerabilities are eventually discovered in most popular online software.

Therefore the problem is that, while your website software starts off secure, it almost always ends up being insecure without anything changing on your website. It’s not your fault or the fault of the person who created your website. It is just the way of the online world. This differs from our building metaphor above in that a secure building doesn’t usually end up insecure a couple of months after being built without anything in the building changing. But a website does.

In fact, this is an ongoing cycle. Vulnerabilities are discovered, attackers start using them and ultimately if you are a responsible WordPress site owner, you upgrade your site regularly to fix those vulnerabilities. Then new vulnerabilities are discovered in new versions and the cycle repeats.

The Time Gap Between Vulnerability Knowledge and Installation of a Security Fix

You might build a new website with the latest secure versions of WordPress and all of the relevant plugins and a theme. As time passes, vulnerabilities are discovered in your plugins, theme and the version of WordPress core you are using. Those vulnerabilities (or security holes) become public knowledge at some point.

There is usually a delay between when the vulnerability becomes public knowledge and when you get around to installing a fix. Even when a fix is automatically released by the WordPress security team, the vulnerability may have been public knowledge for some time. This was the case with the recent PHPMailer vulnerability, which took several weeks for a patch to appear in WordPress core and be automatically deployed.

A WordPress security plugin provides many valuable functions, but at its most basic, a WordPress security plugin protects your website from attacks during the time it is vulnerable.

We do this in two ways. Wordfence provides a firewall that has rules that are constantly updated. At Wordfence, when we learn about a new security hole in software that you might use, we release a firewall rule to your site that allows Wordfence to block hackers from exploiting that security hole.

The second way we protect you is by providing a malware scan. Wordfence detects thousands of malware variants. If the worst happens and somehow a hacker does manage to penetrate your website, Wordfence alerts you to the presence of malware on your website and even helps you find it and remove it. Our malware signatures are also continually updated.

As many of you know, our Threat Defense Feed is what distributes new firewall rules and malware signatures to your Wordfence security plugin. Our Premium customers receive these in real-time. Free customers are delayed by 30 days.

Protecting You When You’re Vulnerable is What We Do

Wordfence provides many other security functions including two factor authentication, country blocking, brute force protection, rate limiting and more. But the most important function we provide is this: Wordfence protects your WordPress website once vulnerabilities are discovered in your previously secure website and before you have installed a fix.

Most websites are hacked as a result of an attacker gaining entry by exploiting a vulnerability in the website software. By using an effective WordPress firewall like Wordfence with a real-time Threat Defense Feed, you are protected, even if your website suffers from a vulnerability.

I hope this has helped provide a fundamental understanding of the most important reason you or someone you know needs a WordPress security plugin like Wordfence. As always I welcome your feedback in the comments below.

Stay safe!

Mark Maunder – Wordfence Founder/CEO.

Thanks to Dan Moen for editing this post. 

The post Do You Need a WordPress Security Plugin? appeared first on Wordfence.


Wordfence Integrates Malware Scan Into Firewall

If you’ve been using the Wordfence Firewall for a while, you may have noticed that our firewall ruleset has been growing steadily over the past few months. This happens as we turn new threat intelligence into firewall rules and release them into production to protect your website.

The Wordfence Firewall protects you against attackers hacking into your website using known weaknesses like the vulnerabilities that have been exploited in Timthumb, Mailpoet, Gravity Forms, Slider Revolution and many others.

We also protect against many zero day vulnerabilities that aren’t yet known to the public but are known to us exclusively. These rules protecting against zero day vulnerabilities are unique to Wordfence.

We also protect against vulnerabilities that haven’t yet been discovered by using a smart ruleset that recognizes malicious activity and blocks it.

We knew we could do better

Many firewalls only protect against common attacks that exploit vulnerabilities. One of the things we see when a site is targeted is that an attacker has a goal in mind; They want to upload malicious code so that they can execute that code on your website.

In the security industry we use the phrase “Defense in Depth”. This describes a multi-layered approach to security, so that if one layer of security doesn’t stop an attacker, another will.

We realized if we took a multi-layered approach with our firewall, we would do an even better job of protecting our customers and have a very high probability of stopping attacks.

Announcing a new break-through feature

MalwareWith this in mind we have integrated our scan engine into the Wordfence Firewall. This layered approach means that even if a rule that recognizes an attacker exploiting a vulnerability doesn’t block the attack, our scan rules will block the attack when the attacker tries to upload malicious content.

Last week we quietly rolled Wordfence 6.1.17 into production. This update integrates Wordfence Scan and the Wordfence Firewall. With this update, as traffic passes through the Wordfence Firewall before it hits your website, it is inspected using our full scan capability and if we find any malicious code in a request, it is blocked.

This has the effect of adding a powerful malware and virus scanner to your firewall to complement the already comprehensive ruleset that Wordfence uses to protect you. This new layer of protection is extremely fast and comes with zero performance penalty for your website.

This is a very exciting change because through our forensic research, our scan capability has massively increased over the past few months. This scan capability has now been added to the firewall.

Right now our free Wordfence community users are protected using 402 unique scan signatures, many of which detect multiple malware types. Our Premium Wordfence users are protected using 137 additional malware signatures. As always, these signatures will become available to free customers within 30 days of release.

We also have 163 beta signatures that we are currently testing and will be bringing online for our Premium customers over the next few days and weeks.

This new firewall detection capability has just been added to the Wordfence Firewall in a single release, which has the effect of adding hundreds of new firewall rules at once.

Bringing this new capability online for our customers is a big deal and our team worked hard to make this release happen. I’d like to extend my special thanks to our Dev and QA team who made sure that adding this new detection did not result in any false positives on your website and made sure that, as we rolled this out, the over 1.5 million websites we protect would continue to run fast and flawlessly.

Since our release last Thursday over half a million websites have upgraded to Wordfence 6.1.17 without a hitch. If you haven’t done so already, upgrade now so that you too can benefit from this new capability and protection for your WordPress website.

The post Wordfence Integrates Malware Scan Into Firewall appeared first on Wordfence.


Ask Sucuri: Differentiate Between Security Firewalls

Question: How should a website owner differentiate between Firewalls? What do they do? The term “firewall” is not new. It is common terminology in the world of technology and security, and possibly common enough that even non-technical people have a basic understanding of what a firewall is. Its meaning actually extends beyond security. The brick walls that
Read More

The post Ask Sucuri: Differentiate Between Security Firewalls appeared first on Sucuri Blog.