WordPress Plugin Security Concerns

The true definition of a WordPress Plugin is code that goes into the core of your site and allows you to change appearance, security, or other settings.  With the access and amount of plugins that are out there, is there any way to be sure they are secure?  I have posted several times about plugins that have security vulnerabilities that allows hackers/script kiddies to download your wp-config.php file, gain access to your root, or make themselves an admin.  Is there truly a way to protect yourself from probing attacks?

As I write this post, I am reviewing probing links into my site:

/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php
/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php
/wp-content/plugins/advert-manager-plugin/readme.txt
/store/js/mage/cookies.js
/js/mage/cookies.js
/shop/js/mage/cookies.js
/wp-content/plugins/360-product-rotation/readme.txt
/wp-content/plugins/robotcpa/f.php?l=cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBoc
/wp-config.php.bak
/wp-content/plugins/hello.php?module
/wp-content/plugins/contus-video-gallery/hdflvplayer/download.php?f=../../../../wp-config.php
/wp-content/plugins/acismittop/akismet.php
/wp-content/themes/twentyfourteen/license.php
/wp-admin/includes/images.php?php
/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
/wp-content/backup-wp/
/wp-admin/js/mssqli.php
/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
/wp-content/plugins/wp-db-ajax-made/wp-ajax.php
/js/jquery.uploadify/uploadify.css
/wp-admin/network/wp-error-log.php
/wp-content/plugins/cip4-folder-download-widget/cip4-download.php?target=wp-config.php&info=wp-config.php

So, you should get the picture.. I am not a security expert.  I watch my site like a hawk, check logs regularly, and adapt to the probes.  Sharing this information to fellow site designers to keep their sites secure is a necessity.  Only by sharing vulnerabilities can we stop them from working.

So a simple fix for all of these probes..  change the WordPress default folder names.  Cool idea, yet someone wanting to truly break in will be able to see the changes with a few clicks of your site and then adapt the script(s) they are running.  What about the plugins that you use?  Would renaming them or the plugin folder help?  How would this effect updates?

Suffice it to say, you can.. with a few downsides.  First, plugin developers do not all follow the same coding habits when it comes to calling directories in WordPress. Some developers specify the path /wp-content/… or /themes/… or /plugins/… instead of defining it through dynamic code. If you change the folder name, that is not all that you have to do. Lets say you want to rename the wp-content folder to “test”, what do you do once that is completed? Just renaming the folder actually breaks/deactivates the plugin as it is no longer able to be seen by WordPress. So, you have to edit wp-config.php to ensure the new folder is seen by WordPress. The image below will help show edits that are needed:

Secondly, any update will almost definitely erase any folder renames that you do.  This can be either the plugin or WordPress core updates. Be prepared to constantly have to edit files and folders after each update.. especially if only a few files get updated and some edits actually stick through a update.. then you have a broken site until someone catches it.

So how about just the plugins themselves? Basically you want the probes to come back 404 pages. Any way that you can get this to happen securely is all that matters. Deleting files that are not needed like readme.txt and license.php can help as well. If you rename a plugin, on the admin area, it deactivates. Now if you want to keep it renamed, you need to do some edits in the folder as well. Every plugin has a file that is named after the plugin in its folder. For example, you download testing123, this new plugin that just came out. Once you either upload it manually or download it via your admin panel, you can now go in and rename the folder with cPanel or FTP. Once you rename the folder from testing123 to whatever you choose, go into that newly named folder and rename the old file “testing123.php” to match the folder name you chose. TaDa, you now have a plugin that should not get probed (unless you rename it to some plugin that is actually valid and used in WordPress)

Granted, this is a workaround, but what about updates? So, it truly depends on the plugin author as well as trial and error to find out if you need to redo your edits upon every update. That being said, end result.. protect your sites!! These little tricks and tweaks can save you much heartache in the long run. As always, update, update, and update some more. Delete files that have no use and can be used to identify plugins (active or not..)

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>