SCSIraidGURU’s World

WordPress 5.1 CSRF to Remote Code Execution

Last month we released an authenticated remote code execution (RCE) vulnerability in WordPress 5.0. This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution on any WordPress installation prior to version 5.1.1.

I decided to allow WordPress to upgrade itself to the latest version.  I just go into it to do the plugins.

Implementing WordPress Security Keys & Salts (and Generating Your Own) in 2019

I have been hardening down my Fortinet firewall and WordPress servers.  I moved the wp-config.php file and added an include into the one on each web site for the new location.   I added the security keys and salts to the moved wp-config.php file for all the web sites.  I changed all the SQL passwords for each site.  I changed the .htacess to stop browsing.  I added some plugins for brute force login attacks.   I removed the webalizer servers, logs, and other etc files from the servers.   I removed other directories and files that are no longer need and could pose and issue to security.  I changed all files to chmod 644.   Directories are 755.   I keep all the LAMP components up to date and check weekly. I keep the WordPress components up to date like themes, plugins, etc.  The Fortinet firewall has web filter blocks for wp-admin and other private directories.

.htaccess

I have two .htaccess files:  In the web site base folder and one in wp-admin to stop access to it. 

base folder :  You can add Options – Indexes to stop browsing.

WP-Admin folder: I add Require ip xxx.xxx.xxx.xxx for each IP I want to access this folder.  I will add external ip addresses from work, I add the server ip for Health Check to loopback.  You also add these into /etc/hosts or your Windows hosts file.  

How did I repoint www to wp for my web sites?

On Godaddy DNS, I setup A records for wp and www pointing to my ISP IP address.

In the etc/https/sites-available/  conf files I added

ServerName wp.scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com *.scsiraidguru.com
Redirect “/” “https://wp.scsiraidguru.com/”

The ServerAlias is the old www address.  The redirect points to the new SSL server address.   The redirect is much faster now since it happens in the website itself. 

Both WordPress servers have been duplicated and moved to Ubuntu 18.04.3 and latest components.   I then upgrade Ubuntu with LTS Enablement for the kernel updates. 

 I add the repository for Digital Ocean MariaDB,  PHP 7.3.x, Apache 2.4.x.   I install phpMyAdmin’s latest version after installing the base product in Ubuntu.   phpMyAdmin is a quick way to create the WordPress databases and user for each web site.   I have pages dediicated for each of these.    I copy in The Hacker News bug reports on all the components I use.  It is best to stay on the latest components for WordPress.

Here is how I set the rights for directory and file for WordPress sites.  I could use wildcards but chose to use types. 

sudo find /var/www -maxdepth 10 -type d -exec chmod 755 {} \;
sudo find /var/www -maxdepth 10 -type f -name “*.jpg” -exec chmod 644 {} \;
sudo find /var/www -maxdepth 10 -type f -name “*.jpeg” -exec chmod 644 {} \;
sudo find /var/www -maxdepth 10 -type f -name “*.JPG” -exec chmod 644 {} \;
sudo find /var/www -maxdepth 10 -type f -name “*.ORF” -exec chmod 644 {} \;
sudo find /var/www -maxdepth 10 -type f -name “*.xmp” -exec chmod 644 {} \;
sudo find /var/www -maxdepth 10 -type f -name “*.mp4” -exec chmod 644 {} \;
sudo find /var/www -maxdepth 10 -type f -name “*.php” -exec chmod 644 {} \;
sudo find /var/www -maxdepth 10 -type f -name “Thumbs.db” -exec chmod 644 {} \;
sudo find /var/www -maxdepth 10 -type f -name “.htaccess” -exec chmod 644 {} \;

WordPress Health Check plugin

Health Check said these two components were missing.  fpm had some errors too.

sudo apt-get install php7.3-bcmath
sudo apt-get install php7.3-imagick

I ran the commands below in various order to fix fpm

NOTICE: a2enmod proxy_fcgi setenvif
NOTICE: a2enconf php7.3-fpm

sudo apt purge libapache2-mod-php7.3 libapache2-mod-php
sudo apt install libapache2-mod-php7.3 libapache2-mod-php

After I fixed these errors, I ran update and dist-upgrade again to get the latest versions. 

Close Menu