WordPress Security: How to Secure Your Upload Scripts and How Hackers use Google to find Vulnerable Sites.

This week we’ve seen two new exploits hit the wild, one in the Ghost commercial theme and another in WP-Mailinglist. Both exploit the Uploadify library which is included with these products and use it to upload malicious scripts or data to websites.

We’ve seen exploits for several years now that take advantage of various upload libraries. Configured correctly, upload libraries can be a useful tool. The problem is that some plugins and themes include these libraries by default, even if a site owner has no intention of uploading files to their site.

So in this alert we’re recommending that you do an audit of your site, in particular your active WordPress theme, and check if any upload library or functionality exists in your theme.

Theme authors seem to put upload libraries in subdirectories titled ‘includes/’, ‘libs/’, ‘vendors/’ and so on. For example the Ghost theme puts Uploadify in "includes/uploadify" and the WP-Mailinglist plugin puts it in a subdirectory of the plugin called "vendors/uploadify".

We recommend that you use CPanel’s File Manager, your FTP client or whatever utility your host has provided to explore your website directory structure to browse through your active theme’s subdirectories and check if there is anything that looks like an upload library. You can find your active theme’s files in wp-content/themes/your-theme-name/

Upload libraries include "SWFUpload", "HTTP_Upload", "class.upload.php", "Uploadify" and "jQuery-file-upload". If you find anything that looks like an upload library and you’re not ever uploading files to your website, drop the theme maker a polite email and ask them how to disable upload functionality completely to help secure your site.

Be careful that you don’t simply delete the upload library because it may break your theme if there are files in the theme that depend on the upload library and suddenly can no longer find it.

Now some security trivia: Did you know that hackers find vulnerable sites by using something called a "Google Dork"? It’s a crafted search that exposes websites running a vulnerable theme, plugin or application in the Google search results. A recent example of this is the Ghost theme vulnerability I mentioned above. In the exploit that has been published online, hackers include a Google Dork to find websites running this theme. In the case of Ghost, hackers use the following crafted search to find vulnerable sites:


As you can see the above search yields about 20,000 results, enough to keep a hacker busy probing sites for quite some time.

Have an awesome Halloween and a spectacular weekend!!

If you found this alert helpful, please give us a 5 star rating on WordPress.org on the right of the page.

Mark Maunder
Wordfence Creator & Feedjit Inc. CEO.

PS: If you aren’t already a member you can subscribe to our WordPress Security and Product Updates mailing list here. You’re welcome to republish this email in part or in full provided you mention that the source is www.wordfence.com. If you would like to get Wordfence for your WordPress website, simply go to your "Plugin" menu, click "add new" and search for "wordfence".