How to Hack WordPress Pages on a Shared Server?

hacking-wordpress-on-shared-servers

A site is just as secure as the weakest link on its shared server. Once hackers gain access to a page on the server, they can easily access other pages on the same server with the same privileges. This is called cross-site contamination . When the same thing happens to sites that use WordPress , it becomes even more dangerous because hackers are already aware of the core structure in the palm of their hand.


WordPress users understand that the wp-config.php file contains database authentication information, so it’s important to prevent strangers from reading this sensitive file. If hackers steal these database credentials, they will be able to do things such as creating new administrator accounts or inserting spammy data into posts. 

There are two things that most hosting companies and website owners usually do to stop these kind of hacking:

  1. Make wp-config.phpunreadable by anyone except the site owner (and the web server process). For example, configure powers 400(CHMOD).
  2. Make external IPs unable to connect to the database (only accept 127.0.0.1 or external subnetwork of the server).

These two steps will help you avoid many problems … until your site has an Arbitrary File Download(download file arbitrary).

Arbitrary File Download

This vulnerability allows hackers to create a query to your site and return the contents of any file on your server (if the web server process has read permission to it). The most typical example of such a bug is a security vulnerability in older versions of the hugely popular plugin RevSlider led to hundreds of thousands of WordPress site information leaked in 2014. 

This is a go The most commonly seen in the log of hacked websites:

http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

The hacker used this query to download the contents of wp-config.php and then use the database login information to create the WordPress admin account.

Those steps did not help

Setting permissions 400 for wp-config.php can prevent this type of attack? 

Are not. The file has been accessed by the web server process – it has the right to read the file (if it does not then WordPress will not work). 

How about blocking connections to the database from outside the server network or even from any server except localhost? 

Of course. After stealing the login credentials, the hacker could not log in from their computer. So are we safe? Unfortunately, there is a way to solve this and we often see hackers use it.

Shared Server

Hackers can connect to the WordPress database from the same server (network) with the site they want to hack. How can they do this if they have never visited the site before? The answer is shared server. Hackers use a previously compromised site to discover and hack other WordPress sites on the same server.

Scan for security vulnerabilities

There are many popular scripts that use Bing’s ip power : commands to automatically detect broken pages on the same IP address. 

Here is an example:

$sites = array_map("site", bing("ip:$ip"));
$un=array_unique($sites);
echo "[+] Scanning -> ", $ip, ""."n";
echo "Found : ".count($sites)." sitesnn";
foreach($un as $pok){
   $linkof='/wp-content/themes/vulnerable-theme/css/css.php?files= ../../../../wp-config.php';
   $dn=($bda).($linkof);
   $file=@file_get_contents($dn);
   if(eregi('DB_HOST',$file) and !eregi('FTP_USER',$file) ){
   echo "[+] Scanning => ".$bda."nn";
   echo "[+] DB NAME : ".findit($file,"DB_NAME', '","');")."nn";
   echo "[+] DB USER : ".findit($file,"DB_USER', '","');")."nn";
   echo "[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."nn";
   echo "[+] DB host : ".findit($file,"DB_HOST', '","');")."nn";
...


This script uses the function bing()to find the indexed WordPress pages on the server. For every page found, it attempts to load the URL that will return the contents of the wp-config.php fileIf the page is not corrupted, this step is ignored. The generated wp-config.php file will be parsed and the database logins for these WordPress pages now belong to hackers. 

In addition to the database information, similar scripts can steal FTP information from wp-config.php (when the web server process does not have permission to change the file, the page will have the option to configure the counter. Update WordPress via FTP).

elseif(eregi('DB_HOST',$file) and eregi('FTP_USER',$file)){
   echo "FTP user : ".findit($file,"FTP_USER','","');")."nn";
   echo "FTP pass : ".findit($file,"FTP_PASS','","');")."nn";
   echo "FTP host : ".findit($file,"FTP_HOST','","');")."nn";
}


Since a shared server can host more than a thousand pages, the chances of finding other sites with errors are high. As you can see, this script allows hackers to quickly crawl the database, occasionally FTP information from any other WordPress site that is corrupted on the same server as the site that the hacker already has access to. . 

With a list of database information, they can use the hacked site to run other scripts that connect to the DB. Because the script is running on the victim’s server, this connection will not be blocked. From here, hackers can create new admin accounts on every failed page or simply change the page layout by changing their page title (when the hacker’s only motive is to show off on Zone-H. ).

Subnetwork level attacks (subnets)

As you may know, some hosting providers have dedicated server servers. This allows pages from different web servers to connect to the same database server. In such an environment, database servers are configured to allow multiple connections from multiple IPs on the same subnet. This makes serial hacking using database stealing information even more successful. Hackers only need one compromised site on each subnet (instead of one per IP) to initiate such an attack. 

In this case, the script will start to look something like this:

$ip=trim(fgets(STDIN,1024));
$ip = explode('.',$ip);
$ip = $ip[0].'.'.$ip[1].'.'.$ip[2].'.';
for($i=0;$i <= 255;$i++)
{
 $sites = array_map("site", bing("ip:$ip.$i wordpress"));
 …

Assess the threats and protect your site

As you know, each string is just as strong as its weakest link. This is similar to web security. We always emphasize cross-contaminations ; When an abandoned device can become a prune, good and up-to-date web pages are attacked again on the same web server. 

This article shows you that the weakest link may be a page that does not belong to you and that you do not know anything about it – it only uses the same server as your site (and thousands of other third-party sites) . In these cases, your site may be hacked even if you have set permissions for wp-config.php and your database does not allow external connections.

Of course, hackers still need to steal database information – which can happen if the software that your site uses (theme, plugin, WordPress, etc.) is vulnerable to unknown vulnerabilities. coming or being detected (zero-day). No software can guarantee that it contains no security holes. 

To prevent leverage attacks from compromised neighbors, you should remove as many weak links as possible.

  1. Move your page to a separate server, or …
  2. Patch your site so that the vulnerability scanner can not find security holes on your site.


Any patching strategy should consider the zero-dayvulnerabilities that software developers do not yet know, and therefore have no patches. A powerful monitoring solution can help you quickly control and recover from a WordPress infection. 

You can also benefit from a Website Firewall that provides patches and intelligent protection against attacks based on security bugs , including undisclosed zero-day security vulnerabilities

LEAVE A REPLY

Please enter your comment!
Please enter your name here