Botnet blasts WordPress sites with configuration download attacks
Security researchers at WordFence, a company that’s focused on securing WordPress, have reported a burst of old-school attacks that are after your WordPress configuration data.
In a default installation of WordPress, whether you’ve installed it yourself or are using a hosted service, the configuration file
wp-config.php should be off limits to outsiders.
That’s just as well, given how WordPress itself describes the file:
One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database connection information.
Given that any PHP code you put into
wp-config.php will run every time your website handles a request, it’s an obvious target for attackers to modify, but it’s also a sought-after gift to cybercrooks if they can access it at all.
Normal WordPress requests received from outside are constrained to the part of your WordPress installation where your site data lives, so in theory it’s impossible to construct a URL that reaches “across and upwards” from the directory that holds your public data into the directory that holds your site’s configuration files and internal data.
WordPress itself goes out of its way to recognise malicioiusly constructed URLs that try to trick the system into visiting unexpected parts of the filing system, and so-called directory traversal exploits are rare these days.
But if you have a forgotten plugin or a neglected WordPress theme installed, the code in it might contain a bug that allows an attacker to read prohibited files anyway, for example by tricking a plugin into including confidential content in a reply that it constructs.