Preventing WordPress Setup Attacks

What is a WordPress Setup Attack?

Screenshot of the WordPress install screen
A WordPress setup attack is when a hacker locates a WordPress site that has not yet been configured, and quickly takes it over using a remote database and his own credentials. Then the hacker can inject any hostile code that he chooses, followed by returning the website to it’s “setup” configuration so that the user is none the wiser.

Hackers can find fresh WordPress installs within 30 minutes

At a recent security conference, a presentation was made demonstrating how a hacker can use publically available information regarding the issuance of SSL certificates to locate new hosting services. A majority of those services include WordPress websites, and in many cases the hosting provider is leaving the doors wide open for hackers to attack their customer websites. Hackers can locate these fresh installs of WordPress within 30 minutes and compromise them extremely quickly.

Hosting Providers need to protect against this attack

If a customer signs up for a “Managed WordPress” service they are expecing that everything will be taken care of for them. They aren’t being told if they don’t set up their website immediately that it could be compromised by hackers. Furthermore many of these hosting providers charge a hefty fee to restore websites after they have been compromised. Because of these things, it is the responsibility of a hosting provider to ensure that this hack is prevented.

Using WP-CLI to prevent WordPress Setup Attacks

There is a very convenient and easy to use tool to prevent this kind of situation, called WP-CLI. It is a command line tool to perform certain actions on WordPress installations. Using WP-CLI, a hosting provider can add a small script to their 1-Click Installs which provisions the WordPress site to use the appropriate database, sets up the administrator account using a strong password and username, and configures the domain name on the installation. If this is performed as part of the installation procedure it will secure the site from Setup Attacks too quickly for hackers to take advantage of. The settings can later be changed by the user in a variety of ways using back-end controls. Pride Tech Design has been using this method for several months to secure our customer websites against this vulnerability.