A warning to WordPress users

A recently published zero-day exploit was released by TrustWave that allows a remote attacker to take control of a WordPress website and upload malicious content, which can then be used to attack visitors to the site or the server hosting the site itself. All versions of WordPress including the current 3.3.1 are reported as being vulnerable. Recent reports of small blogger and other websites running WordPress have been noted hosting malware and this exploit is considered to be a likely cause by some researchers. In defense of the vendor, WordPress has disputed the significance of the exploit and indicates that only an incomplete installation of WordPress is exploitable. Other researchers have indicated that directories containing backups of a site may be exploitable.

Due to the relative ease of mitigating this vulnerability, all WordPress users should take heed and follow the fix outlined below.

It is common practice to rename or remove the default install.php file found in the wp-admin directory and most WordPress security scanners will detect if the installer file has been removed. This exploit, however, uses the resource file setup-config.php which is often overlooked.

The long and short of it is, if you are running a WordPress blog or website, make sure that you rename or remove both the install.php and the setup-config.php file after installation of the site has been completed as well as any time a WordPress update is installed (these files may be replaced and recreated during the update process). Another more permanent, albeit more technical, solution would be to prevent access to the wp-admin directory from internet IP addresses using Apache directory permissions or a web application firewall.