Skip to content
 

Bots Looking for Backups of wp-config.php

Here’s a new attack that occurred this afternoon: bot networks are searching for backup copies of wp-config.php. They searched for these four files on the root level of one of my web sites.

  • wp-config.phpbak
  • wp-config.php-bak
  • wp-config.phpBAK
  • wp-config.php-BAK

The probes came from these four IP addresses, all within one minute of one another:

  • 91.217.66.227 – Ukraine, no rDNS
  • 151.0.9.230 – Ukraine, no rDNS
  • 193.106.65.146 – Ukraine, 193-106-65-146.vega-tv.com.ua.
  • 88.252.179.61 – Turkey, no rDNS

You should do two things:

  1. Search your site’s root directories for old “backup” copies of your site’s configuration files. And if you find any, you need to remove them. You may want to consider removing wp-config-sample.php if it exists as well. Heck, remove readme.html and license.html too. There is no reason for those files to be available on your web site.
  2. If your web server and host supports it, move your wp-config.php file up one directory out of your public web site. So if your WordPress installation is installed in /var/www/html/example.com/ , move wp-config.php to be in the html directory, not the com directory. This should remove the configuration file from the public.

Followup: September 30th, 2012: Just had a few new probes for wp-config.txt from 88.74.117.9, dslb-088-074-117-009.pools.arcor-ip.net, Germany.

2 Comments

  1. Clint says:

    Boy, this type of thing just sucks! Crooks, all of them.

  2. lucia says:

    Add this version to your list.
    wp-config.php.bak