Here’s a new attack that occurred this afternoon: bot networks are searching for backup copies of wp-config.php. They searched for these four files on the root level of one of my web sites.
- wp-config.phpbak
- wp-config.php-bak
- wp-config.phpBAK
- wp-config.php-BAK
The probes came from these four IP addresses, all within one minute of one another:
- 91.217.66.227 – Ukraine, no rDNS
- 151.0.9.230 – Ukraine, no rDNS
- 193.106.65.146 – Ukraine, 193-106-65-146.vega-tv.com.ua.
- 88.252.179.61 – Turkey, no rDNS
You should do two things:
- Search your site’s root directories for old “backup” copies of your site’s configuration files. And if you find any, you need to remove them. You may want to consider removing wp-config-sample.php if it exists as well. Heck, remove readme.html and license.html too. There is no reason for those files to be available on your web site.
- If your web server and host supports it, move your wp-config.php file up one directory out of your public web site. So if your WordPress installation is installed in /var/www/html/example.com/ , move wp-config.php to be in the html directory, not the com directory. This should remove the configuration file from the public.
Followup: September 30th, 2012: Just had a few new probes for wp-config.txt from 88.74.117.9, dslb-088-074-117-009.pools.arcor-ip.net, Germany.
Boy, this type of thing just sucks! Crooks, all of them.
Add this version to your list.
wp-config.php.bak