Website developers can often leave unfinished installations of WordPress on their servers. This can make it very easy for attackers to gain control over new installations of WordPress. Attackers can not only take over the WordPress website but also the entire hosting cluster that is associated with it. This is known as WPSetup Attack. The WPSetup attack targets fresh installations of WordPress this allows attacks to get admin access and execute malicious PHP code in the victim’s web server.
How the WPSetup Attack Works
There are several ways how you can install WordPress. You can uncompress the ZIP archive into a directory and upload it to your hosting account via FTP, Many hosting providers will give the option of installing various web applications and will often provide provide a one-click install to make it easier for the consumer to install web applications directly from there hosting accounts web panel.
At this point even though the base WordPress files are installed there is no configuration file yet as it still needs to be created. New versions of WordPress will often walk you through creating this file.
If new WordPress installations steps are not immediately complete an attacker looking for fresh WordPress installations would then be able to use your new WordPress installation files to compromise your website and take full control over databases hosted in target websites web hosting.
How an attacker using WPSetup Attack Gains Full Control of Your Hosting Account
Once an attacker has finished creating admin account using unfinished WordPress installation that is running on victims hosting account they can then execute malicious PHP code and install various root kits to gain full control over the main server cluster that the target website is hosted on. Attacks can also integrate file droppers, Keyloggers, attackers can even Inject third party advertisements on to victims website.
How Attackers Execute PHP Code
Attackers will use various methods of executing malicious PHP code on the target web server these methods include. Editing the code of themes and plug-ins from WordPress administrative interface with malicious PHP code this will allow attacks to compromise the target website and execute PHP code to website visitors when target website is refreshed.
If an attacker gained administrative access to a WordPress website they can upload and install plugin’s containing any PHP code. By embedding PHP code into a standard WordPress plugin or by creating custom WordPress plug-ins attackers can run any PHP code on target web server just by activating the plug-in. Attackers can also trick third party websites into running the same malicious WordPress plug-in.
Read more on how attackers target WordPress websites using malicious Plug-ins. Hacking WordPress Website with Malicious Plug-in
How Attackers find unfinished installations of WordPress.
This is the setup URL that new installations of WordPress use during their install process . These pages can be found by anyone using widely available search engine dorks these sites contains a setup page, this indicates that WordPress has recently been installed on the web server in question. However it has not yet been fully configured yet. This can make it very easy for attackers to gain control over the new installations of WordPress but also the entire hosting account that is associated with it.
Google Dork Description: inurl:”/wp-admin/setup-config.php” intitle:”Setup Configuration File”
Dork: inurl:”/wp-admin/setup-config.php” intitle:”Setup Configuration File”
Preventing WPSetup Attack
Before installing a fresh installation of WordPress, create a .htaccess file in web hosting main directory edit .htaccess file so that it contains the following:
order deny,allow deny from all allow from <your ip>
Replace the ‘<your ip>’ with your own IP address.
This will set rules that will ensure that only white listed IP address’s can access WordPress website while its being installed. This will prevent attackers or anyone happening to stumble upon the WordPress website during installation completing the set up steps and compromising the WordPress sites hosting cluster.
Once installation of WordPress is complete, you can then remove the .htaccess rule and allow visitors from all around the world access your WordPress website.
Read DEFCON 25 Hanno Boeck Abusing Certificate Transparency Logs