Shared Server and WordPress Hacking

A site is just as protected as the weakest connection on its common server. Once a programmer accesses one site on the server, they can without much of a stretch contaminate different destinations that offer a similar server consents. This is called cross-site defilement. With regards to WordPress sites, the center structure is outstanding by programmers.

WordPress clients comprehend that wp-config.php documents contain database accreditations. It is essential to keep outsiders from having the capacity to peruse this touchy document. On the off chance that aggressors take those database accreditations, they can, for instance, make WordPress administrator clients or infuse spam into posts.

There are two things that most facilitating organizations and site proprietors do to keep these sorts of hacks:

  1. Make wp-config.php garbled by anybody yet the website proprietor (and the web server process), i.e., a 400 consent.
  2. Make it difficult to interface with the database from outer IPs (other than or outside of the host’s subnetwork).

These two stages enable you to stay away from heaps of issues… unless your website has a subjective document download defenselessness.

Self-assertive File Download Vulnerability

The self-assertive record download defenselessness enables aggressors to create a demand to your webpage that will restore the substance of any document on your server (if the web server process has authorization to peruse it). The most famous case of such a powerlessness is the security opening in old variants of the to a great degree well known RevSlider module that prompted the trade off of countless WordPress destinations since its exposure in 2014.

This is a run of the mill ask for seen in hacked site logs at that point: ajax.php?action=revslider_show_image&img=../wp-config.php

Programmers utilized this demand to download the substance of wp-config.php and afterward utilize the database accreditations to make noxious WordPress administrator clients.


Solidifying That Didn’t Help

Would the 400 consents of wp-config.php keep this assault?

No. The document was gotten to by the web server process that had perused access to the record (on the off chance that it didn’t, WordPress wouldn’t work).

Shouldn’t something be said about keeping associations with the database from outside of the host’s system or even from any server aside from localhost?

Beyond any doubt. In the wake of taking the database qualifications, programmers can’t sign in from their PCs. So we’re great, right? Shockingly, there is a workaround and we routinely observe programmers utilizing it.

Shared Servers

The programmers can interface with the WordPress database from a similar server (organize) as the site you need to hack. How might they do this in the event that they haven’t broken into the site yet? The appropriate response is shared servers. Assailants utilize a formerly bargained site to find and hack different WordPress locales on a similar server.

Filtering for Vulnerable Sites

There are a few well known contents that use Bing’s ip: charge to computerize the disclosure of defenseless locales on a similar IP address.

Here is one case:

$sites = array_map(“site”, bing(“ip:$ip”));


resound “[+] Scanning – > “, $ip, “”.”\n”;

resound “Discovered : “.count($sites).” sites\n\n”;

foreach($un as $pok){

$linkof=’/wp-content/subjects/helpless topic/css/css.php?files= ../wp-config.php’;



if(eregi(‘DB_HOST’,$file) and !eregi(‘FTP_USER’,$file) ){

resound “[+] Scanning => “.$bda.”\n\n”;

reverberate “[+] DB NAME : “.findit($file,”DB_NAME’, ‘”,”‘);”).”\n\n”;

reverberate “[+] DB USER : “.findit($file,”DB_USER’, ‘”,”‘);”).”\n\n”;

reverberate “[+] DB PASS : “.findit($file,”DB_PASSWORD’, ‘”,”‘);”).”\n\n”;

reverberate “[+] DB have : “.findit($file,”DB_HOST’, ‘”,”‘);”).”\n\n”;


This content uses the bing() capacity to discover ordered WordPress locales on the server. For each site discovered, it tries to bring the URL that will restore the substance of the wp-config.php record. In the event that the site doesn’t have the defenselessness, this progression is skipped. The got wp-config.php is parsed and the database accreditations of the extra WordPress destinations are presently accessible to the programmers.

Notwithstanding database accreditations, a similar content can take FTP qualifications from wp-config.php (when the web server process doesn’t have consent to alter records, destinations have the choice to design WordPress refreshes through FTP).

elseif(eregi(‘DB_HOST’,$file) and eregi(‘FTP_USER’,$file)){

resound “FTP client : “.findit($file,”FTP_USER’,'”,”‘);”).”\n\n”;

resound “FTP pass : “.findit($file,”FTP_PASS’,'”,”‘);”).”\n\n”;

resound “FTP have : “.findit($file,”FTP_HOST’,'”,”‘);”).”\n\n”;


Given that a run of the mill shared server can have more than a thousand unique locales, the odds of finding other powerless destinations are quite high. As should be obvious this content enables programmers to rapidly gather database, here and there FTP qualifications, from some other powerless WordPress locales on an indistinguishable server from the site that assailants as of now approach.

With the rundown of database qualifications, they can utilize the same hacked site to run different contents that interface with the database. Since the content deals with an indistinguishable server from the potential casualties, this association won’t be blocked. From here, aggressors can make new administrator clients on each powerless site, or basically destroy the site by changing their title (when the programmer’s just inspiration is to boast on Zone-H).


Subnetwork-Level Attacks

As you may know, some facilitating suppliers have devoted database servers. This permits destinations from a wide range of web servers to interface with a similar database server. In such conditions, database servers are designed to permit associations from IPs on a similar sub-arrange. This makes mass hacks utilizing stolen database accreditations considerably more effective. Programmers require just a single bargained site for every subnetwork (rather than one for every IP) to begin such an assault.

For this situation, the start of the content resembles this:


$ip = explode(‘.’,$ip);

$ip = $ip[0].’.’.$ip[1].’.’.$ip[2].’.’;

for($i=0;$i <= 255;$i++)


$sites = array_map(“site”, bing(“ip:$ip.$i wordpress”));

Surveying the Threat and Protecting Your Site

As you most likely are aware, the chain is just as solid as its weakest connection. This additionally applies to site security. We generally accentuate the factor of cross-defilements; when one disregarded site can cause steady reinfection of many cutting-edge and solidified destinations that offer a similar server account.

This article demonstrates that the weakest connection can be a site that doesn’t have a place with you and that you don’t know anything about – it coincidentally shared an indistinguishable server from your site (and a large number of other outsider destinations). In these cases, your site can be hacked regardless of the possibility that you appropriately set wp-config.php consents and your database doesn’t permit outside associations.

Obviously, programmers still need to take the database qualifications, which can happen if the product that you use on your site (subjects, modules, WordPress itself, and so on.) has known or undisclosed vulnerabilities (zero-days). No product can ensure that it is free from security bugs.

To anticipate assaults that use traded off neighbor locales you should endeavor to dispense with whatever number feeble connections as could reasonably be expected.

  1. Move your site to a committed server, or,
  2. Fully fix your site so noxious weakness scanners won’t have the capacity to discover security openings on your site.

Any fixing technique ought to consider zero-day vulnerabilities that product designers don’t think about, and in this way don’t have patches for yet. A strong observing arrangement can help you rapidly review and recoup from a WordPress disease.

You can likewise profit by a site firewall that gives virtual fixing and shrewd insurance against assaults that use security imperfections, including undisclosed zero-day vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *