One of the nicest qualities of WordPress is that it’s so easy to install. Once the WordPress application is uploaded to a server, it takes a few minutes to enter the necessary information and you’re done. But that ease-of-installation can be turned against WordPress users and server administrators. In what’s been called the WPSetup attack, attackers are searching for incomplete WordPress installations and using them to take over sites and servers.
One of the reasons WordPress is so easy to install is that once it’s uploaded to a server, the user can immediately connect to the domain or IP of the installation and begin the configuration process. The configuration uses the setup-config.php file, which is removed once the configuration process is complete. It was recently revealed by researchers at the WordFence WordPress security company that criminals are scanning servers for the presence of the config script and using it to compromise the installation.
Once the attackers discover the presence of the configuration file, they can run it, enter their own database and user information, and take control of the site. Once they have control of the WordPress site, they can upload malicious plugins, including plugins that allow them to execute arbitrary code on the server. An attacker who can run arbitrary code is in a good position to take over other WordPress installations on the server or the server itself.
The WPSetup Attack is a serious problem for anyone using WordPress or offering WordPress hosting services. There are many reasons the WordPress configuration process might be left incomplete for a significant amount of time. But even if the site owner intends to complete the installation immediately, an automated scanner could spot the incomplete site and take advantage of it in the time it takes to make a cup of tea.
The risk is particularly serious for WordPress hosting providers who use servers to host multiple WordPress sites. Hosting providers typically trigger the installation of WordPress via a script, and clients are left to complete the installation process at their own convenience. It’s likely many WordPress hosting servers have at least one incompletely configured WordPress site.
If you use a Virtual Private Server or Dedicated Server to host WordPress, you can reduce the risk by making sure you complete the installation process as soon as the WordPress code is uploaded to the server. The longer you wait, the more likely it is that a bad actor will finish the installation for you.
Web hosting providers should implement a system for scanning their services for incomplete WordPress installations.
However fast you are to spot incomplete installations, there’s still a small risk. WordFence suggests that server administrators use the .htaccess files to block all clients from loading the incomplete site except for the client who initiated the installation or which is otherwise known to be trustworthy. But that’s not a permanent solution and may introduce issues in multi-tenant hosting scenarios.
Most importantly, WordPress users and WordPress hosting companies should be vigilant: don’t install WordPress on your server and leave the installation incomplete.