The Revolution Slider hack nuked my sites!

Wordpress HackedBack in December 2014 one of the WordPress websites I developed and manage got hacked. This resulted in all the files being deleted on the webserver and effectively nuking this site. Thankfully I was able to restore the site to before the hack using daily backups of the files and database. I got rid of all malicious files and updated all the plugins and put the hack down to an unidentified outdated plugin.

After a few weeks the site got hacked and effectively nuked a second time and I realised a stronger approach was required to deal with the problem. This time after restoring everything I updated every single plugin on this site and all sites on the same server and updated CMS and database passwords and installed a security plugin. This time I thought I nailed it but Unfortunately within days I noticed my web server usage quota reduced and I received some warning notifications from Google Webmaster Tools specifically about a high number of 404 errors. I also noticed a huge number of random .php files that could be found on almost every public directory of the entire CPanel account, which included multiple sites. I got very worried but realised that i was using the Revolution Slider plugin on the main site and was aware of a vulnerability with that plugin but I had applied all obvious updates and apparently the security plugin I was using Wordfence is meant to protect against this specific threat so at first I thought I was covered.

After investigating the Revolution Slider vulnerability the penny dropped. It was a plugin that was bundled as part of a theme I was using and as it is a premium plugin that the theme developer purchased it does not automatically update unless I update the whole theme. The problem with this site is that updating the theme breaks the site unless I do major work. I wasn’t sure if this was the root cause especially as Wordfence is supposed to offer protection but I felt I should focus on this point. I was able to update just the Revolution Slider plugin on the site by reinstalling an updated version of the theme on a new site, which automatically downloads the latest revolution slider plugin on installation. Then I disabled the revolution slider on the main site, backed up and deleted the Revolution Slider files from the wp-content/plugins directory and copied the newly downloaded files from the new installation to the main site. Then after re-enabling the revolution Slider plugin on the main site the plugin gets updated to the latest version. Ever since I did this my site has not been compromised and I fixed the problem. I also had to change all database and WordPress passwords to be fully protected. I learned that even though Wordfence claims to protect old versions of the Revolution Slider from this vulnerability it does in fact leave it vulnerable to some degree.

To understand how this problem is a real issue we must look at what vulnerability the plugin presents. First, it allows anyone to find out if you have the Revolution Slider installed and if your version is vulnerable. This is because the plugin information file that contains the version number is in a common location on all WordPress sites. Second, anyone is able to download the wp-config.php file by entering a simple URL query string. That provides the full database login credentials, which allows a hacker to access files on the server and also provides the ability to identify the WordPress administrator password. This is the most serious security hole that exists. Lastly, the main issue is that this has caught a huge number of site owners because the Revolution Slider is a premium plugin that gets bundled in themes. This means that since it is not publicly available it does not automatically update and more than that it does not give much indication that updates are available. All in all it is a complete disaster for a very large percentage of the WordPress community as the Revolution Slider is used extensively in premium themes. I don’t have figures but to put things into perspective out of a handful of people that i know that host WordPress sites 3 of them and me have all been affected.

If you use have used any WordPress premium themes especially from Envato, I recommend checking to see if the Revolution Slider is installed. If so just make sure you are using version 4.x.x or later and you should be fine, otherwise upgrade asap.