Numerous website owners and developers harden their WordPress default installations by disabling the backend theme and plugin editor, which usually permits direct alteration to the code in each theme or plugin file.
This is indeed a prevalent approach that cybercriminals and hackers are aware of. It comes as no surprise since attackers are knowledgeable about the potential attack surface areas in WordPress websites.
The hardening method aims to diminish the attack surface by securing a site against possible security problems or recognized weaknesses.
Evidently, attackers already know that the higher the functionality of a site, the more possible entry points adversaries can take advantage of for exploitation purposes.
WordPress contains a feature that enables website administrators to disable the theme and plugin file editors and installers.
A hacker may add the subsequent file to a target’s website after successfully hacking it to reverse the hardening technique commonly deployed for the WordPress configuration file wp-config.php:
You can open a text editor like Leafpad in Kali Linux, copy and paste the above code into a new file, and save the file:
Bear in mind that an attacker can place the PHP file into a subdirectory located inside /wp-admin/ such as /wp-admin/maint/.
In terms of naming your new PHP script, you can get creative.
After running the PHP script (replace.php), it will proceed to search for the WordPress configuration file (wp-config.php) two directory levels above its present location (../../). Furthermore, the script employs str_replace to look for DISALLOW_FILE_EDIT and DISALLO
After carefully examining the code in the PHP script, we can also see that the script will continue to execute a particular action after the WordPress configuration file’s contents have been modified. The script would lastly deploy the touch function to change the modification timestamp on the WordPress configuration file to evade detection.
Hence, the attacker may add this PHP script to the victim server to additionally undermine the overall security of the website. Significantly, hackers may make use of the theme and plugin installers located in the admin area of the WordPress website. They would typically install a backdoor and retain access to the hacked website.
Keep in mind that the WordPress configuration file (wp-config.php) is one of the most crucial files in a WordPress installation. This PHP file can be found in the root of the WordPress file directory and comprises the target website’s configuration details, including
Undoubtedly, there are several other methods that attackers utilize to compromise a site without deploying the theme and plugin editors or installers.
Hackers may retain access to a compromised website by uploading a PHP web shell on a WordPress website. Adversaries can also utilize hacking techniques such as deploying the WPScan tool and Metasploit to hack a WordPress website and ultimately undermine the overall web application security of a site.
Skilled hackers already know what the best PHP web shells are.
Using file integrity monitoring (FIM) can be useful in detecting whether a hacker has compromised a site. The reason is that file integrity monitoring cannot be deceived by modified timestamps that were caused by the activities of an adversary.
File integrity monitoring is intended to notify site administrators as quickly as any modifications to files are rendered against the most recently acceptable configuration or baseline.
For WordPress website owners, there are various other ways to improve the security of your site.
Checking For Backdoors
To check if your server has any recently altered files, you may run the subsequent command in your terminal provided that you have an SSH connection established:
The above command will show any files altered within the last 15 days. You may choose any number you wish, but bear in mind that the further you decide to go back the additional noise that will ultimately be produced. It’s always important to emphasize that timestamps may be spoofed by an adversary.
How To Disable The File Editors And Installers In The WordPress Configuration File (wp-config.php)
A site administrator may disable the file editors and installers easily:
Some site owners may genuinely believe that hardening guarantees that hackers are prevented from tampering, but we clearly can see that this notion is false.