Wordpress

From Just another day in the life of a linux sysadmin
Jump to navigation Jump to search


wp-cli

Logging

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);

this logs in wp-content in a file called php-errors.log



XMLRPC blocking

To find out if there is an account that is being the attacker, run: 

grep -s xmlrpc.php /usr/local/apache/domlogs/* | grep POST | grep "$(date +"%d/%b/%Y")" | cut -d: -f1 | sort| uniq -c | sort -nr | head -25



To find out if there is an account that is receiving an attack, run: 

grep -s xmlrpc.php /usr/local/apache/domlogs/* | grep GET | grep "$(date +"%d/%b/%Y")" | cut -d: -f1 | sort| uniq -c | sort -nr | head -25



Add this to either the .htaccess of the user receiving the POST requests, or to the Pre virtual host includes in WHM => Apache Configuration => Include Editor for a server wide block. 

# START XML RPC BLOCKING 
<Files xmlrpc.php>
  Order Deny,Allow 
  Deny from all
  allow from 127.0.0.1
  errordocument 401 default
  errordocument 403 default
  errordocument 404 default
  errordocument 411 default
</Files> 
# FINISH XML RPC BLOCKING


You can also turn off the functionality in the wp-config.php by placing the following line at the bottom of the file: 

add_filter('xmlrpc_enabled', '__return_false');



after this line:

require_once(ABSPATH . 'wp-settings.php');


If you want to be really sneaky you can make xmlrpc attackers attack themselves by rewriting requests to localhost 

Redirect 301 /xmlrpc.php http://127.0.0.1


Wordpress specific Commands

Within wordpress base install where wpconfig is will take DB in use and dump and set ownership 

mkdir .mysqldump/; stat wp-config.php -c "%U"|xargs sh -c 'chown ${1}. .mysqldump' "${0}"; (cat wp-config.php  | grep DB_NAME | awk -F"'" '{print$4}'; stat wp-config.php -c "%U"; ) | xargs sh -c  'mysqldump ${1} > .mysqldump/${1}.sql;chown ${2}. .mysqldump/${1}.sql;' "${0}"; echo "The databases are found in $(pwd)/"; find .mysqldump/ -name *.sql;

Specific issues

Symptom

Lots of time spent on cron triggers, wp_options, option_name 'cron', option_value bloated with invalid crons.

Cause

https://core.trac.wordpress.org/ticket/33423

Fix

https://core.trac.wordpress.org/changeset/33646/trunk/src/wp-includes/taxonomy.php

Cleanup

vim wp-content/mu-plugins/cleanup.php

<?php function clear_bad_cron_entries() { // Fix incorrect cron entries for term splitting $cron_array = _get_cron_array(); if ( isset( $cron_array['wp_batch_split_terms'] ) ) { unset( $cron_array['wp_batch_split_terms'] ); _set_cron_array( $cron_array ); } } clear_bad_cron_entries();


Visit site wait a bit, check cron option_value, if good delete above file.


Cant Upload or create directories?

Turn on suexec apache module in EA4


Malicious suspiciousness

search for index.php in wordpress uploads (these should not exist here) (stat these files and export to file) 

find /home/ -mindepth 4 -name "*.php" -path "*public_html/wp-content/uploads*" -print|xargs stat -c"a:%x m:%y c:%z %n"|sort -k2 > /root/joel.suspicious.stats
Retrieved from "https://jparks.work/index.php?title=Wordpress&oldid=396"