WordPress Website Takeover Vulnerability

Update: WordPress have now released an updated version (version 4.9.7). Install the update to ensure your websites are protected.

A newly reported security vulnerability affects all current versions of the WordPress content management system (CMS). A user requires the author or editor role to exploit the vulnerability to gain complete control of your website.

WordPress logo

An attacker can exploit this vulnerability to delete files from your server. By deleting the CMS configuration file (wp-config.php), they can re-run the WordPress installation process and become the website administrator. From there they can potentially modify theme or plugin code to take over the underlying server.

Securing your WordPress Website

An official fix for the vulnerability does not currently exist (update: version 4.9.7 has since been released and fixes this vulnerability).

Several unofficial solutions are available. Cognitous recommend tightening the file system permissions on your web server. Remove write permission to the WordPress files from the web server user in order to prevent unauthorised alterations. For example, under a typical Apache installation, the www-data user should not have write permission to files under /var/www/html. Unfortunately, this will prevent the built-in auto-update feature from working.

An alternative solution involves adding code to the functions.php file of your active theme.

WordFence includes a fix, however free users won’t receive that until the end of July.

Get in touch if you require advice or support in securing your WordPress website. Sign up for our mailing list to receive security tips and information to your inbox.

Technical Details

Full technical details can be found via RIPS Technologies, who reported the vulnerability privately in November 2017.