WordPress File Manager vulnerability—actions and advice
A “zero-day” vulnerability was recently discovered in the “File Manager” plugin widely used by the WordPress community. As a result, millions of WordPress sites have been attacked so far this month.
File Manager: the plugin in question
At the beginning of September, a vulnerability was discovered and widely exploited in version 6.4 of the WordPress plugin File Manager. This plugin is used as an FTP transfer application to send content to a WordPress site. The vulnerability stems from a file initially used for development and added to the project accidentally.
This vulnerability potentially allows a non-authenticated user to execute commands on the site and thereby to take control.
That’s why we thought it necessary to remind you of the steps to take to protect yourself as well as some best practices and more general safety precautions to keep your WordPress site secure.
Be active and act now
Here are the steps you should take in response to this vulnerability:
Verify whether you use the File Manager plugin
To do that, go to the “Plug ins” section in your WordPress administrative interface.
If not, you’re not impacted
If yes, update this plug in immediately to the most recent available version
The last version of the plugin (6.9) resolves this vulnerability. These updates are directly visible in the “Plugins” tab of the WordPress administrative interface. Once the new version of the plugin is installed, your WordPress site will no longer be vulnerable.
However, due to WordPress’s popularity, and the many plugins available, vulnerabilities of this type are common, and are even increasingly so. To protect yourself, we suggest following some best practices and implementing a regular security routine for your website.
Be careful when choosing WordPress plugins
One of the advantages of WordPress rests in its almost unlimited catalog of add ons, but these plugins are not without risk.
For the plugins that you use, make sure you use the latest version of each and make sure that they haven’t recently been attacked by checking the developer’s website.
1. Choose plugins that are regularly updated
Don’t overload your WordPress site with plugins that aren’t necessary. It’s neither good for your security or for your website’s performance, or its SEO. Feel free to remove any plugins you don’t use.
2. Activate snapshots on your Simple Hosting instance
Snapshots let you store a previous state of the files on your instance. This can be useful if you need to return to a previous state in case you make a mistake in configuring your website.
You can activate snapshots for free on Simple Hosting, from your Gandi admin space.
As a reminder, snapshots are stored in the same place as your site. For this reason, it can never replace a truly complete backup strategy, which would involve storing backups off-site.
3. Regularly backup your entire Simple Hosting instance
Whatever your hosting solution, you need to have a complete backup of your data on at a separate location. For a website, it’s useful to have a local copy, on your desktop for example. To be efficient, the backup should consist of two elements:
For WordPress, this would be a MySQL database. It’s recommended to do a complete export of your database. This can be done via the PhpMyAdmin interface that manages the MySQL database of your Simple Hosting instance. You can access PhpMyAdmin from the “Administration” tab of your Simple Hosting instance. The export creates a file by default named ‘localhost.sql’ that you can save on your computer.
If you want to rest easier, this export can also be automated on a daily basis.
Your website files:
Consider regularly copying all of your website data by connecting to sFTP, for example with FileZilla.
4. Follow the news on the security of the tools you use
To help users stay on top of communications about security problems, most of the principle software developers have their own dedicated communication channels. If some tools have become essential for your sites and those of your customers, it’s crucial that you be quickly alerted to any potential problems.
For WordPress: https://wordpress.org/news/category/security/
Feel free to also follow us on Twitter and Facebook to be kep informed of these types of incidents.
- Simple Hosting web hosting: https://www.gandi.net/en/simple-hosting
Technical documentation: https://docs.gandi.net/en/simple_hosting/