WordPress automatic upgrade plugin – security hole ?

I just found out about a new plugin for WordPress that allows you to upgrade your wordpress installation semi-automatically.

The plugin is a regular wordpress plugin that you need to install into the plugins directory in your WordPress installation, and can then be used either completely automatically or semi-automatic (by clicking on “next” for each step) to upgrade your wordpress to the latest version.

It is still in beta, but it seems to do the trick.

However, a glaring security loophole is that it will backup your current wordpress installation files and your database and copy them all in a folder in the root directory (called wpau-backup). It’s up to you to clean them afterwards by clicking a “clean” button.

If you do not do this or something goes wrong, a file containing all your sql data, plus the config files of your server are all there for the taking of anybody searching for it !!!

I can understand for the plugin to provide you with a backup, but the folder should be either automatically emptied at the end of upgrade, or not done at all. This certainly leaves a trace that this plugin is installed, even if the folder is empty and Google is also indexing these folders.

An alternative would be to zip up these backups with a password that the user must give when activating the backup. It would provide a least a measure of security, and zipped files at least won’t be so easy to read without the password. Also the plugin could set the directory to not to be indexed by Google.

A quick Google search for the words “wpau-backup” in blogs shows up a disturbing amount of sites that have this folder in their root path. Also a few messages about peope being linked to from these backup folders, leading them to question if either the plugin or the backup had been hacked.

Also, quite a few of those have apparently either been hacked or have badly configured their apache webserver, as you can simply click on parent directory and go up to the root of the server.

I’m thinking hacked, because I find pieces of wordpress installations all over, but nothing like any index.php file. A few of them have heaps of directories that link to other servers or other dns names, that seem to want to show you adverts.

I’m quite happy that my NoScript plugin was working, I don’t trust any of these sites…

Leave a Reply

Your email address will not be published. Required fields are marked *