Protection against WordPress “Pagelines” and “Platform” theme security bugs

Posted January 22nd, 2015 in Tech Corner. Tags: , , .

The researchers at Sucuri yesterday announced that they’ve discovered a critical security bug in the widely used Pagelines/Platform WordPress themes. If you use one of these themes or their many derivatives, “hackers” can easily take over your site unless you update the theme.

Since many of our customers use these themes, so we’ve added security rules to block attacks even if you haven’t updated. And we’re glad we did: our logs show that a large Chinese botnet started attacking every WordPress site we host last night, in alphabetical order (they’re currently up to domain names starting with “e”), testing whether each site is vulnerable to the bugs.

We’re again surprised to see how many customers are using versions of these themes that haven’t been updated in years. I know we sound like a broken record, but when WordPress offers to update something you’ve installed, you must update it if you want your site to stay secure.

Can I see the mod_security rules?

Although our customers are fully protected, we’re often asked to share our mod_security rules when we post something like this. If you’re the technical person running a server for other people who use unpatched Pagelines/Platform themes, these rules should stop the attacks:

# Ensure that if GET or POST data "action=pagelines_ajax_save_option",
# any "option_name" parameter is only "pl_section_desc_toggle"
SecRule ARGS:action "^pagelines_ajax_save_option$" "deny,auditlog,chain"
SecRule ARGS:option_name "!^pl_section_desc_toggle$"
#
# Block all requests where "page=pagelines" and "settings_upload=settings"
SecRule ARGS:page "^pagelines$" "deny,auditlog,chain"
SecRule ARGS:settings_upload "^settings$"

The second rule is not perfect because it also blocks legitimate settings uploads, causing false positives. However, our logs show that malicious uses of this “feature” are vastly more likely than legitimate uses.

Update March 4: We’ve seen some new attacks mixing these parameters in GET and POST, so we changed the original “ARGS_POST:” we recommended to “ARGS:”.

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds