How to I disable execution of malicious .php files in WordPress upload directories?
My WordPress sites are repeatedly infected by malicious .php files that get uploaded and infect other files in the system. How can I recover from these attacks and prevent it from happening in the future?
3 Replies
Prevention
While you may be able to find and remove the infected files, this will only be a temporary fix. The only way to prevent the issue from reoccurring is to cut it off at the access point. In this case, the access point is the uploads folder of your WordPress site.
Using .htaccess
When running a website, you can use a .htaccess to create things like redirects and execution rules for your site. This allows you to stop execution of malicious php files in your websites upload folders as well. You can add the following code block to your .htaccess to prevent execution of php files in your /uploads/ directory.
<Files *.php> Deny from All </Files>
While users may still be able to upload files, they will not be able to execute any .php files, which will prevent such files from infecting other files in your system.
Assessing an Infection
When dealing with a system compromise, it can be pretty difficult to determine the scope of an infection. This is because most intruders will create an additional point of entry, called a back door. For these instances, I typically recommend deploying a fresh instance, securing it, and then copying over the site files that you need.
If you believe your system is beyond the point of recovery and requires redeployment, I'd like to recommend the following steps:
Step 1: Create a new Linode and enable the following basic security measures.
Enable Key-Pair authentication
Disable remote root login and password authentication to prevent password brute forcing.
Install Fail2Ban to block IPs after multiple failed login attempts.
Set up a basic firewall with IPtables
Step 2: Copy your site files from the original server to the new one using rSync.
You must realize that many hacks don't place their malicious code in the uploads directory.
In my experience 99% of WordPress and Joomla (I use both) hacks that result in malicious files being placed on your server are from vulnerabilities in the administration area of the site. These can be vulnerabilities that exist in the CMS itself or plugins you have installed.
In addition to the suggestions in the previous post, I would suggest doing what I do and using .htaccess to require a username/password to access anything in the /wp-admin or /administrator (depending on the CMS) on your site.
This will result in your web server asking for a password first and only if you pass that test will you get the login form for wordpress/joomla. This stops most bots that attempt to exploit a vulnerability in your site in their tracks because they have zero direct access to any of the php files under those directories.
Another thing I do on my server as a last line of defense is I have a script that runs every hour that monitors for new, deleted, or modified php files under the entire /home directory where all my sites live. If any are found I get an email with a list for me to review. Again, that script is only there in case everything else fails and I actually get hacked. At least I will know almost immediately.
Is there an upload feature in your Wordpress? If so, the above .htaccess can protect from uploaded PHP files to be executed.
<Directory {full-path-to-upload-dir}>
Order Deny,Allow
Deny from All
</Directory>
The above will prevent anything to be executed in upload dir, and also prevent any malware to spread.
If you are not expecting anything on upload dir, then you should investigate the root cause of causing files to be uploaded.
Start from stripping down plugins.
Make sure that you have an offsite backup.