SCSIraidGURU’s World


Current version : 5.2

WordPress 5.1 CSRF to Remote Code Execution

Last month we released an authenticated remote code execution (RCE) vulnerability in WordPress 5.0. This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution on any WordPress installation prior to version 5.1.1.

I decided to allow WordPress to upgrade itself to the latest version.  I just go into it to do the plugins.

My two WordPress servers are now on Ubuntu 16.04.6.   I have upgraded to the latest LAMP components that you are read about on Ubuntu pages.   I am on the latest version of WordPress.   This mainly affects my main webpage with videos of my children.  These files can be huge. 

upload_max_filesize = 768M

post_max_size =768M
memory_limit = 768M
max_execution_time = 300

I have installed many plugins on the various web sites from conditional menu, WP Fastest cache, wordpress https, and others.

How did I repoint www to wp for my web sites?

On Godaddy DNS, I setup A records for wp and www pointing to my ISP IP address.

In the etc/https/sites-available/  conf files I added

ServerAlias *
Redirect “/” “”

The ServerAlias is the old www address.  The redirect points to the new SSL server address.   The redirect is much faster now since it happens in the website itself. 

Building the WordPress server was not an easy task. 

Installing LAMP:  Linux, Apache, MySQL, and PHP was a pain.   I wanted to start with the latest versions of MySQL Maria DB and PHP.  You can see that information on other pages on this site.    Next, because wp-admin and wp-login can’t be blocked from the internet without a $300 a year WP firewall plugin.  I needed to buy a Godaddy cert for each web site and setup my firewall to do SSL inspection along with locking down the ports to it.    I am still trying to lock it down so only a VPN connection inside the firewall can access it.   I needed to install CentOS 7 64-bit and make sure /var/www had enough space for the 4 web sites.  WordPress is a space hog.  The Media Library creates 12 copies of each picture you upload to it.   Next, it stores them in year / Month format.  So I used Add from Server plugin to upload my children’s pictures based on the actual date.  My web site is 15% larger than before.    The media library did it.  I have hundreds of videos of my children.  I ended up placing them in a directory by year and date for uploading and placing direct links on the pages for them.  Embedding videos in WordPress will cause performance issues. 

WordPress is slower than HTML/CSS for page loading.  It uses PHP.    Much slower.  I tossed 4 vCPUs and 8GB of RAM at it.  It uses 340 MB of RAM.  I am going to buy a cache plugin to see if it helps.   The only benefit of WordPress so far is how fast you can create pages and image galleries.   Elementor and Conditional Menu plugins do help.  Much of this slowness was CentOS 7.5.   Check the Linux pages for how I migrated it off of CentOS onto Ubuntu. 

The Ubuntu WordPress server still needs the Godaddy SSL certificate to be able to start building websites on it.  I am creating a web site and moving all the family stuff off to it.   I moved it to the Ubuntu server to split the load up between the two VMWare datastores on my HP DL360e Gen8 server.   I used JAlbum for most of this content.  So moving and linking it will be easier than recreating the media library.

Creating and organizing the pages in WordPress took some thought.  Each of the 4 websites have different needs.  The menus needed to work better on mobile. devices.   Pictures for our family web sites needed to be better organized.  My brother’s web site needed to cover every aspect of his work.   My political blog page has pictures I cut and paste to Facebook.  I also cut and paste what I have written and paste that to Facebook. 

My wordpress servers started out on CentOS 7.5 and Ubuntu 16.04.   You can read about this on the Linux and Ubuntu pages.   This page will cover WordPress, Elementor, Gutenberg, and my plugins. 

Back to top