One of the things we do to keep track of vulnerabilities in WordPress plugins is to monitor the Support Forum for topics that might discuss those. Through that we came across a recent example of a problem that often comes with advice from web hosts on hacked websites and in reminder that people that don’t have a good understanding on security will none the less hand out advice, the web host providing inaccurate information is releasing a book, “My Site’s Been hacked: Now What?”.
Recently someone started a topic on the Support Forum with the following message:
Im having security troubles with my websites, for almost 4 months i was “clean” from “File appears to be malicious: wp-content/plugins/LayerSlider/helpers/khvulaty.php” kinda like from wordfence , but last days im having issues again, can´t get to find the backdoor im my server :(, already do the best practices i found in this same forum and i have a lot searching in the web
anyone has been able to get completly clean from backdoors? or how can we know from where we are getting this code injected, can´t find anything in the audit logs from sucuri
In response to that someone else wrote in part:
I suspect this is what we might be dealing with:
There are a couple of big problems with that.
First, the issue described in that linked post doesn’t match the issue that is described as occurring on that hacked website. The person that wrote that reply is a “website hosting provider”, which explains things, as we often see web hosting providers assuming that where a malicious files has been placed is an indication what the source of it getting there. So in this case the file was in a directory for a plugin, they appear to have made the assumption that it must gotten there through a vulnerability in the plugin. And then it looks like they did a search for vulnerabilities in that plugin and linked to the first result. Usually the reality is that where the file located is just the random location that hacker happened to place the file. There are exceptions to this, but that would involve a situation where a plugin has a vulnerability that allows uploading files and the file being placed in the location that uploaded files go. The linked post doesn’t describe that type of vulnerability, but if you don’t have the expertise in this sort of thing (which based on what we hear when we are brought in to re-clean up hacked websites, is true of a lot of people that clean up hacked websites) you likely wouldn’t understand that.
That brings us to the second issue, the person is citing an inaccurate source for information on this claimed vulnerability. We actually wrote about that particular website back in May and even discussed that particular post, which was poorly copied from the original disclosure. Here is one example we wrote about problems in the post:
The next part of Plugin Problem post diverges from the original discloser as they state:
Therefore, when the request is not validated, the user does not have to be an administrator to save those settings.
Once again something that is bolder is not true, as if you look at the discloser’s proof of concept it states to test it you need to:
log in to a website with Admin privileges
When it comes to getting accurate information on hacked websites in Support Forum you are unlikely to get it since the moderators dissuade those with actual expertise from being involved (we speak of that from our own experience and others). So fixing the forum moderation would lead to better results for the public, but the moderators seem to unwilling to consider the damage they are doing (it also get half way to there not being plugins with known vulnerabilities in the Plugin Directory again).
When it comes to getting accurate information in vulnerabilities in WordPress plugins you use, the best source would be the data include with our service, as other data sources have serious issues with the quality of their data (and also in terms of the number of vulnerabilities included as well). For more limited data on vulnerabilities that are being exploited you can install the companion plugin for our service, which comes with free data on just those vulnerabilities.