Category Archives: WordPress

Critical WP File Manager Plugin Vulnerability

The WordPress plugin File Manager contains a critical vulnerability that is actively being exploited by attackers to compromise WordPress sites. We saw a handful of these incidents on September 1st as the attacks were just starting to ramp up and a few more since then. Fortunately, in these cases the solution has been relatively simple: restore from a prior backup and delete the plugin.

This particular vulnerability has been present in the plugin since version 6.4, which was released in May. It was patched with the release of 6.9 on September 1st.

Due to the rate at which these attackers were occurring, we have proactively identified every single instance of a vulnerable version of this plugin being used on our servers and have removed it. Since this plugin merely offers a file management interface within the WordPress admin section, removing it doesn’t impact the functionality of the website. Users are welcome to re-install the latest version of this plugin if so desired.

This particular incident does bring to light an important topic though. It is best practice to use as a few plugins as possible, those that aren’t needed should be deleted (not just deactivated). There is certainly an argument to be made that a file manager plugin like this should never be installed but even if you disagree with that, there really isn’t strong justification for keeping a plugin like this installed beyond its intended use. It just allows another possible point of entry for attackers to exploit should a vulnerability be found.

Please keep this in mind as you continue to develop and secure your WordPress instances. If we can help in any way, please drop us a ticket and we’ll be happy to do so.

Beta: Dathorn WordPress Scanner

WordPress is not only the most popular script that we host, it is also most frequently targeted by attackers. While critical vulnerabilities in the WordPress core are relatively rare, they are fairly common in plugins and themes. It is important that these items are always kept updated to help prevent a compromise.

This can be a confusing process because the WP admin interface may not accurately portray certain situations. For example, if you’ve installed a plugin or theme outside of the WordPress repository, it may always show no updates being available even though that is not the case. The WP admin interface also doesn’t warn when something hasn’t received an update in a while, indicating it may no longer be actively maintained. These are both scenarios that require special attention but are easily overlooked.

Further, if a WordPress is compromised due to a vulnerability it can be very difficult to get the site back online in a secure state. Typically, we recommend a complete fresh re-install because there is no easy way to tell what attackers may have modified or left behind. Last modified dates on files can’t even be trusted once an account has been compromised. Continue reading

LiteSpeed Cache & WordPress

LiteSpeed

Our servers have been running the LiteSpeed Web Server for almost six years now and one of the lesser known but most powerful features of it is its caching. LiteSpeed cache is available on our servers although it is disabled on all domains by default. Enabling it globally just isn’t practical or wise because there is a lot of content that doesn’t need to be cached or shouldn’t ever be cached.

LiteSpeed cache can be used to cache your PHP scripts and thus speed up their load time significantly. This can be very beneficial if your site receives consistent traffic although even low traffic sites can see some benefits. The cache can be enabled and configured by means of some mod_rewrite rules in your .htaccess file. Below is a common example that can be used to cache WordPress:


<IfModule LiteSpeed>
CacheEnable public /
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
RewriteCond %{REQUEST_URI} !^(wp-admin|wp-login.php|wp-cron.php)
RewriteRule .* - [E=Cache-Control:max-age=120]
</IfModule>

Continue reading