WordPress 2.8.6 security update

If you use WordPress blog software on your site, be sure to upgrade to WordPress 2.8.6. The upgrade contains important security fixes. Upgrading is usually easy with the built-in WordPress “update now” feature.

Although all WordPress users should upgrade, we’ve added security rules to our servers to protect our Web hosting customers who haven’t yet upgraded. Other people may find the rules useful if they use mod_security on Apache Web servers. The rest of this post contains more technical details.

Surprising Apache script behavior

One of the fixes in WordPress 2.8.6 compensates for a peculiar and surprising feature (or bug, if you prefer) in the Apache Web server: in many cases, it will run a file with a name like “image.php.jpeg” as a PHP script.

Some software (like WordPress 2.8.5 and earlier) can be configured to allow strangers to upload JPEG and other files to your site — but it checks only the “.jpeg” file extension to see if the uploaded file is safe. So a “hacker” could upload a malicious PHP script named “image.php.jpeg”, then “view the image” in a Web browser… but the server would actually run the PHP script.

Because of that, we’ve added a mod_security rule that prevents site visitors from requesting certain file extensions that include “.php.” in their name. (There are other possible solutions, but testing has shown this is the least intrusive to our existing customers.)

Here’s a mod_security rule that accomplishes that (adjust the extensions to suit your taste; these are the WordPress 2.8.5 allowed extensions):

SecRule REQUEST_FILENAME "\.php[456]?\.(asf|asx|avi|bmp|gif|ico|jpe|jpeg|jpg|png|tif|tiff|wax|wmv|wmx)$" "deny,status:412,auditlog"

WordPress brute force attacks

Another recently reported attack against WordPress (which is unrelated to version 2.8.6 in particular) involves “brute force” attempts to guess the administrator password. The proper solution is to choose a good password for your blog (not a word from the dictionary!), but some people don’t do that.

To reduce the risk of successful attacks against our customers, we limit each IP address to 25 “wp-login.php” attempts within a five minute period. Here’s how you can do that with mod_security:

SecAction phase:1,initcol:ip=%{REMOTE_ADDR},nolog
SecRule REQUEST_LINE "post .*/wp-login" "nolog,phase:1,setvar:ip.wordpress_login=+1,deprecatevar:ip.wordpress_login=5/60"
SecRule IP:WORDPRESS_LOGIN "@gt 25" "deny,status:412,auditlog,chain"
SecRule REQUEST_LINE "post .*/wp-login"

This unfortunately doesn’t prevent “distributed” attacks in which many different IP addresses submit different password guesses, but it will help in many cases.

Summary

So: if you use WordPress yourself, be sure to update. And if you provide blog hosting services for others, consider adding the mod_security rules to your Apache server.

2 Comments

  1. I normally upgrade ‘all’ of my blogs the same day the upgrade is available. anyway thanks for the information.

  2. Very helpful, not only that you put it into place (a lot of hosting services do not go this far), but also that you explained what you did in a way that I get to learn something new. Thanks much!