WordPress is known for its ease of installation, generally taking five minutes or less. But there’s a considerable risk involved in manually installing it on a web host. Earlier this month, Vladimir Smitka, a security researcher from the Czech Republic, highlighted the risk in detail. Upon sharing the article on Twitter, I noticed quite a few people who exclaimed that they had no idea about this attack vector, myself included.
Most web hosts create an SSL certificate when setting up an account and the certificates become public knowledge. Attackers can use the Certificate Transparency Log to detect new entries and target new WordPress installations. Between the time of uploading files to the web host and completing the WordPress installation, attackers can compromise a site by configuring it to install into a database of their choosing with credentials they know. It can happen so fast that site administrators can mistakingly attribute the lack of entering database details during the install to assuming the web host did it for them.
At this point, the attacker has full access to the site, can log in at will as an administrator, or perform various harmful actions. Smitka set up a honeypot to monitor what attackers were doing and discovered that most of them installed web shells, malicious plugins, file managers, and emailer scripts to send out spam.
The easiest way to prevent this type of attack from occurring is to not install WordPress manually. But if you have to, Smitka recommends limiting access to the installer by adding a .htaccess file in the wp-admin folder. You can also add an MU plugin that he created that will prevent anything from being changed after installation. Smitka says the safest method to manually install WordPress is to use WP CLI.
One of the methods Smitka proposes to fix the installer is for it to require a special install key. This key could be generated in the install-key.php file and would be required before being able to fill in the database details. You can see a proof of concept in the following video.
If your site is compromised during installation, Smitka recommends starting over with a fresh site, since the attacker has access to all of the data and can either change the passwords at will or have any number of ways of accessing the site.
This Security Issue is Not New
It must be noted that what Smitka has discovered is not a new vulnerability. Mark Maunder of Wordfence wrote about the issue back in 2017. He also suggests using a modified .htaccess file to safely install WordPress.
What’s interesting is that the documentation on WordPress.org on what to know before installing WordPress makes no mention of this issue. Considering the circumstances, I believe it needs to be mentioned on that page along with providing details for the .htaccess file or at least strongly encouraging users to avoid manual installations and use automated solutions instead.
Want to find out more about the latest in WordPress development? Subscribe to Torque’s email newsletter for a weekly dose of the freshest WordPress content from the brightest minds in the industry.