Attack against wp-config.php~ (with a tilde)
-
I work at a hosting company where one of our customer’s WordPress sites was hacked today. It was done by a “hacker” who discovered the WordPress database password due to an unfortunate user error. The way it happened was interesting and might affect others, so I thought I’d share it.
(I want to emphasize that this is NOT a security problem in WordPress. It could happen with any PHP script.)
The customer had, at some point, edited their “wp-config.php” file with a text editor that automatically created a backup copy with the name “wp-config.php~”, with a tilde at the end.
The hacker then simply requested “https://domainname/wp-config.php~” and was able to view the source, because the server didn’t think it was a PHP file. It looks like hackers are actively running automated bots that look for that filename.
Normally, getting the database password doesn’t do a hacker any good on our system, because we don’t allow remote MySQL connections by default. But in this case, the customer had intentionally enabled remote connections to the database for other reasons, ignoring the security warning.
So then the hacker made a MySQL connection, modified the password of the admin user, and had full access.
Several lessons are clear from this:
- WordPress users should make sure they don’t edit wp-config.php, or any other security sensitive .php file, with an editor that creates “~” backups. Hackers are actively searching for a file named “wp-config.php~”; make sure you don’t have one on your site.
- Hosting companies should prevent access to filenames ending in “.php~”. (We’ve done that; our blog post has a mod_security rule that others can use if interested.)
- Writers of text editors should not create file backups with names that change the file extension. Those extensions are sometimes used for access control.
- This is almost certainly solving the problem in the wrong place, but just to throw the idea out there: the default WordPress .htaccess rules could include a line to forbid requests for “.php~” files.
Hope this information is useful to someone.
- The topic ‘Attack against wp-config.php~ (with a tilde)’ is closed to new replies.