spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charles Sprickman <sp...@bway.net>
Subject Re: URI_WPADMIN fp
Date Fri, 19 Oct 2018 19:36:30 GMT

> On Oct 19, 2018, at 10:15 AM, Paul Stead <paul.stead@zeninternet.co.uk> wrote:
> 
> Can't comment on the score - hacked Wordpress sites often have bits hosted in
> 
> * wp-admin

Yes.

> * wp-content

Yes and no.

Everything that a user uploads for their site lives under wp-content, so any rule triggering
on that part of the URL would be a mistake.

The tree looks like this:

/wp-content/themes/ - this is where website themes (think templates) live. You will see css
and js from this directory or subdirectories, also in some cases images (icons and the like)
/wp-content/plugins/ - this is where WP plugins (gobs of code that add some specific functionality
to the site). Similar to themes, you’ll generally see css and js there, and possibly some
images
/wp-content/uploads/ - this is where all images/media that the webmaster uploads lives. This
is where you want to be strict with any URL matching rules.  You should NOT see any files
ending in .js nor .css - that’s a strong sign that the installation is compromised.

You should NOT see any files ending in .php in ANY of the above directory trees.  Themes and
plugins contain .php files, but they are NOT directly executed from outside, they are simply
included by other WP core code.  So when you see a .php file in those directories in a URL,
something is very wrong.  And you’re likely looking at a compromised account, which is likely
somehow involved in spamming or phishing.

A good webhost applies a few very simple rules that block about 99% of the WP exploits:

- PHP not even parsed under the uploads directory ENTIRELY, even for includes.  Since this
directory is ALWAYS writable by the web user, it’s where most exploits want to put their
payloads. You break nothing but exploits by disallowing php execution there. Similarly, you
block no good email by nuking any URL that ends in .php and lives under that directory.
- PHP not executed anywhere under /wp-content other than by includes
- /wp-admin/ only has /wp-admin/admin-ajax.php allowed for non-authenticated users. You should
never see any URL other than that from that directory.
- Only wp-content is writable by the web user (pretty rare, but doable, and very common with
“boutique” hosting)

You will have a surprisingly secure WP install with just those few simple steps above.

That’s my WP quicky for anyone writing WP rules.  If such a person is on the list and wants
to discuss, I’m super happy to do so!

Charles

> Pages within these directories are publicly accessible, but it is very unusual for a
WP plugin to reference these URIs directly in outbound emails
> 
> 
> Paul
> 
> On 19/10/2018, 14:38, "Alex" <mysqlstudent@gmail.com> wrote:
> 
>    Hi,
> 
>    Should we be adding 3 points for just this, or is there never a reason
>    users should be using /wp-admin in their URLs?
> 
>    Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
>    ======> got hit: "/wp-admin/images/"
> 
>    The rule description says possible phishing, but how would an end-user
>    be in a position to create a public link that involves their WP admin
>    directory in the first place?
> 
> 
> --
> Paul Stead
> Senior Engineer (Tools & Technology)
> Zen Internet


Mime
View raw message