The Log4j Bug Can't Hurt WordPress - But There's an Ongoing Attack That Can

Lately, it seems that not a week goes by without fresh news of a vulnerability that could unleash a wave of attacks on servers and devices around the world. But some weeks are worse than others. On December 10th, the studio behind the ever-popular sandbox game Minecraft published a blog post detailing a bug it identified in Log4j. The bug would allow an attacker to take control of a machine running the vulnerable software.

The problem is that Log4j is one of the most-used open-source libraries
ever created, and that means there aren't many servers or devices that aren't affected by the threat. But the announcement wasn't bad news for everyone. WordPress site owners, for example, breathed a heavy sigh of relief that the 18-year-old CMS isn't on the list of software vulnerable to the Log4j threat.

That doesn't mean, however, that WordPress site owners should relax, though. Right around the same time that the Log4j catastrophe started
hitting the headlines, another threat emerged that's no less serious. And it's aimed squarely at WordPress websites. As of the 10th, reports indicated that at least 1.6 million WordPress sites were under active attack, and that could just be the beginning.

The attackers are trying to exploit a variety of vulnerable WordPress plugins and themes. And when they succeed, they gain full administrator access to the affected website. So, site administrators have their work cut out for them to see if their sites are vulnerable to attack. And to help them do it here's a list of the known vulnerable plugins and themes, and an overview of what to do to secure a vulnerable site.

The Affected Plugins

One of the reasons the current attack on WordPress sites is so widespread is that the attackers are targeting a handful of vulnerabilities at once instead of a single one. And frustratingly, some of the vulnerabilities received patches as early as 2018 – which indicates a whole lot of site administrators who haven't kept up with the available plugin updates.

So far, the list of plugins being targeted include:

• PublishPress Capabilities version 2.3 and below
• Kiwi Social Share version 2.0.10 and below
• Pinterest Automatic version 4.14.3 and below
• WordPress Automatic version 3.53.2 and below

The good news about this list is that every one of the affected plugins has a patch available that fixes the vulnerability. That means WordPress sites using them can update today and prevent attackers from exploiting their sites if it hasn't happened already.

The Affected Templates

Unfortunately, plugins aren't the only things that the attackers are targeting right now. They're also targeting a vulnerability in the Epsilon
Framework, which is a common set of underlying code that a variety of WordPress themes rely on. But again, the vast majority of the affected themes have patches available that correct the problem that makes them vulnerable. All but one, that is.

The affected site themes are:

• Activello version 1.4.0 and below
• Affluent versions below 1.1.0
• Allegiant version 1.2.5
• Antreas version 1.0.4 and below
• Bonkers version 1.0.5 and below
• Brilliance version 1.2.9 and below
• Illdy version 2.1.4 and below
• MedZone Lite version 1.2.4
• NatureMag Lite all versions – no patch available
• NewsMag version 2.4.1 and below
• Newspaper X version 1.3.1 and below
• Pixova Lite version 2.0.5 and below
• Regina Lite version 2.0.4 and below
• Shapely version 1.2.7 and below
• Transcend version 1.1.8 and below

With such a long list of vulnerable themes, the scope of the potential attack is far larger than what security researchers have recorded so far. But updating the affected themes to the most recent version can prevent
attackers from gaining access to a previously vulnerable site.

The only known exception is the NatureMag Lite theme. So far, there's no patch available for that one. That means sites using it should replace it with a different theme immediately, and remove the vulnerable version from their WordPress installation. Unfortunately, such drastic action is the only thing users of that particular theme can do to secure their sites right now.

How to Spot the Exploit

Because some of the vulnerabilities listed here aren't new, any site that used any of the vulnerable plugins or themes may have already gotten
hit by the attack. And although many webmasters assume that seeing no physical changes to their site's contents is a sign that it's safe, they shouldn't dismiss the threat so easily.

That's because the attackers aren't necessarily trying to deface websites. They're trying to give themselves access to their administrative consoles and to do so without getting caught. From there, they could use that
access to harvest user data or make other unauthorized changes to the site's underlying code.

The good news is that the way the attackers are doing this leaves traces that webmasters can find if they know what they're looking for. What
they're doing is enabling the setting "users_can_register" and altering the "default_role" setting to "Administrator". From that moment forward, every new user account added to an affected site would have administrative access by default.

So, the first thing to do to see if a site's been compromised is to go to the general setting page of the WordPress administrative console, at:

http://yourdomainname.com/wp-admin/options-general.php

On that page, make sure that user registration is unchecked (unless your site allows registrations on purpose), and that the default role is set to "Subscriber" or whatever role is appropriate for the site in question. If either of the options were altered from the correct settings, there's a good chance the site's been hacked.

What to Do Next

In this case, there are only two real options for WordPress site owners if they discover evidence that an attacker has gained administrator access to their site. For sites that don't collect user data or that aren't mission-critical (like personal blogs and the like), it may suffice to go through the site's user list and remove any accounts created without authorization.

At the very least, this will cut off the attacker's administrative access going forward. The only problem then is trying to figure out if any other changes have been made to the site itself. The trouble is that someone with administrative access could have made changes to the site's underlying code that are near-impossible to detect.

These attacks can hinder various on-site operations. For businesses, the problem could affect crucial processes, including the organization of expense categories and even customer data privacy.

However, for some people, the prospect of such undetected changes isn't a big deal. But unless the affected site is so unimportant that it wouldn't matter if it got defaced, looted, or destroyed, leaving well enough alone isn't a viable option.

So, most owners of compromised websites will want to reinstall WordPress and restore their content from a backup. In a perfect world, a backup from before the vulnerable plugin or theme was added is the best bet – but in the real world, the age of the vulnerabilities means that may not be possible.

Cleaning Up After a Hack

The first step in cleaning up a hacked WordPress site for which no clean backup is available is a counterintuitive one. It's to take a complete backup of the site as it exists before attempting a cleanup. This is to reduce the
chances of doing any irreparable damage or losing irreplaceable content in the process of cleaning up the site.

The next step is to get to work rolling the WordPress site back to
its defaults. To do so:

• Make a list of the plugins in use and then delete the contents of the site's "wp-content/plugins/" folder. This will eliminate the local copies of the plugins that may have been altered by an attacker. Once this is complete, re-download and reinstall the necessary plugins.
• Remove all installed themes that aren't in use and delete their associated folders in the "wp-content/themes" directory. Then, download a fresh copy of the theme that's in use and replace its files in its installation folder. This will eliminate any changes the attacker may have made to the site's theme.
• Examine the site's "wp-admin" and "wp-includes" directories to check for any new or updated files. Most of the time, the files in those directories don't change except when updating WordPress versions. So, if anything appears suspicious, the best option is to reinstall the current WordPress version from the administration dashboard. Then, delete any files in those folders that don't bear the date and time of the reinstallation.
• Check the site's storage location for any directories that contain backup copies of the site. If any exist, delete them. Such copies may be accessible to the web and can provide an attacker with backdoor access into the current public-facing version of the site.

Stay Up to Date

Most WordPress site owners – if they act fast – won't have to do anything but update their plugins and themes to keep their site secure. But for the unlucky, a complete site reinstallation may be the only way to undo the potential damage caused by this latest wide-ranging WordPress attack. And after doing that, it's a safe bet that affected webmasters won't forget to update their site plugins and themes going forward. Doing that is the easiest way to keep a WordPress site safe from harm, and it sure beats the alternative.