Back
WordPress malware upload

How To Protect Site From Malware Upload By File Upload Form

Statistics show that file upload vulnerabilities are WordPress’s third most common vulnerability type. Hackers will often use file upload vulnerabilities to spread malware, gain access to web servers, perform attacks on visitors to a website, host illegal files and much more.

This guide will identify the risk factors of having unrestricted file uploads before explaining the most common types of file upload vulnerabilities. Finally, we’ll explain how to secure the WordPress file upload system.

What are the risk factors of unrestricted file uploads?

There are many risk factors associated with unsecured file upload systems including:

Server-side attacks

If a hacker successfully places an executable file on your server, they may use it to launch server-side attacks. For example, if they upload a web shell, they may use it to take control of certain parts of your web server. Exploiting file upload vulnerabilities also allows hackers to place trojan horses, viruses, and other malicious files on your website.

Triggering vulnerabilities in server applications or libraries

Uploading a malformed file or one which masquerades as a different file type might trigger a vulnerability in certain pieces of server software. One well-known attack exploited a vulnerability in the image processing software ImageMagick. Hackers discovered they could execute arbitrary code by hiding it inside image files that would be processed by ImageMagick. This would potentially allow the hacker to take control of the server.

Hackers may also upload files to trigger vulnerabilities in real-time monitoring software. There was a recent vulnerability in Symantec antivirus software that could be triggered by uploading a RAR file. Triggering this vulnerability could result in memory corruption on the server, potentially crashing certain programs or the server itself. Hackers could also use this file upload exploit to crash the real-time security monitoring, then perform another kind of attack.

Client-side attacks

Uploading certain types of malicious files can make a WordPress website vulnerable to client-side attacks like cross-site content hijacking and XSS attacks. Hackers might also be interested in uploading files that trigger vulnerabilities in the libraries or applications used by end-user devices. For example, there was a vulnerability in iPhones which caused a buffer overflow in LibTIFF.

Causing an administrator or webmaster to execute code

Malicious files including Windows viruses, Unix shell scripts and Excel files may be uploaded if there are unrestricted file uploads. A server administrator or webmaster might discover these files, then open them to determine what they are — executing the code and allowing malware onto your server.

Hackers might be able to deface the website

If your website publishes user-uploaded content, allowing unrestricted file uploads may result in your website being defaced or used for a phishing attack.

The website’s file storage system may be abused

Hackers often target unsecured file upload systems to store troublesome files. These files might include illegal software downloads, pornographic material, stolen intellectual property, malware, or data used by criminal organisations.

Hackers can learn more about the server

An incorrectly secured file upload form may display error messages that give hackers information about the server’s configuration. This information might include file paths or folder permissions.

Causing denial of service attacks

Unsecured file upload forms may allow hackers to upload extremely large files or hundreds of files at once — performing a denial of service attack.

Types of file upload vulnerabilities

The most common types of file upload vulnerabilities include:

Unrestricted file upload with the dangerous type

This vulnerability occurs in systems where any type of file can be uploaded to the server. It also occurs when the file type is not adequately verified by the server. This vulnerability could allow cybercriminals to upload any kind of executable file to the server.

In some cases, website owners might check the file extension of an uploaded file, but fail to verify that it matches the contents of the file which has been uploaded. This allows executable code to be hidden within files with different extensions.

To avoid this vulnerability, the application must thoroughly check the files that are being uploaded and remove file types that can cause damage to the server. The application should not rely solely on Content-Type HTTP header information when checking file types, but instead, use more detailed file checking processes.

Arbitrary file uploads

This vulnerability is created when a user is allowed to upload a file without being authenticated by the application. The ability to upload should be restricted to authenticated users to prevent malicious individuals from uploading random files to your server. Allowing arbitrary file uploads also puts your site at greater risk of a denial of service attack.

Uncontrolled resource consumption

Applications should place restrictions on the size of files that can be uploaded and the number of files that can be uploaded. Failure to do so can allow users to upload very large files or thousands of small files simultaneously, performing a DOS attack.

Files containing malware

If a website is parsing or inserting data from within an uploaded file, it may be vulnerable to files containing malware. This type of attack often uses SQL injection attacks or attempts to get the system to run another arbitrary piece of code.

Protecting your WordPress website against file upload vulnerabilities

Here are some simple steps you can take to protect your website against file upload vulnerabilities.

Only allow specific file extensions

By default, WordPress allows registered users to upload many types of files. This includes various types of image, audio, video, and document files. You can reduce the types of files that users can upload by installing a plugin like WP Upload Restriction.

Use a WordPress form plugin that is secure

If you intend to accept file uploads on your WordPress website, choose a well-known file upload plugin that has excellent security. At a minimum, the plugin should safeguard your form against common form attacks like Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks.

Webmasters can also install a WordPress plugin that has real filetype detection, MIME analysis mapping, SVG sanitisation and a file upload debugger. Such plugin makes it easier to validate files and to create a whitelist of accepted MIME file types.

Reduce max file upload size

Preventing users from uploading large files will reduce the risk of your file upload system being used for a DoS attack. There are multiple ways to alter maximum file upload size. The technique that works for you will vary based on your server configuration and permissions.

If you have complete control over your server environment, you can alter the php.ini file to change the allowed size of file uploads. Open your web server’s php.ini file and alter the upload_max_filesize and post_max_size directives. Once they have been updated, restart your HTTP server.

The snippet below will change the maximum upload size to 4 megabytes. You might also like to include alter the max_execution_time directive, which rejects an upload if it has taken too long to process. Some web servers will also allow you to create a php.ini file in your website’s home directory.

upload_max_filesize = 4M
post_max_size = 4M
max_execution_time = 120

Adding php upload values to your .htaccess

Some web servers will also allow you to adjust PHP file upload settings via the .htaccess file in your WordPress installation’s root directory. Add the following to change upload sizes and max execution/input times:

php_value upload_max_filesize 4M
php_value post_max_size 4M
php_value max_execution_time 120
php_value max_input_time 120

Only allow authorised users to upload files

By default, WordPress doesn’t allow public users to upload files. However, many WordPress administrators install plugins that contain file upload fields. This is a potential vulnerability because you are relying on the developer of that plugin to handle this content safely. Your website will be safer by only allowing certain types of registered users to upload files.

If you need a form with an upload field to only be displayed to certain users, use a plugin similar to Restrict Content. It will allow you to restrict pages and portions of pages to certain types of users.

Add file execution restrictions using .htaccess

You can create a .htaccess file that restricts the types of files that can be executed from the uploads directory. For example, the following .htaccess will only allow gif, jpeg, jpg, and png files to be executed:

deny from all
order deny,allow
allow from all

This .htaccess must not be placed into the wp-content/uploads directory, because hackers could potentially overwrite it by uploading another file called .htaccess. Place it in the directory above the uploads wp-content/uploads folder.

Place your uploads folder outside of the server root

Creating a new folder for storing uploads can also help to improve file security. This folder should be created outside of your website’s public directory so hackers cannot manually execute the files they have uploaded via a website URL. Read this short guide to learn how.

Randomise uploaded file names

Once hackers have managed to upload an executable file to your server, they may attempt to execute it using a web browser or command line. One simple trick from preventing hackers running their file is to randomly rename it. You can read this short guide to learn how to randomise uploaded file names in WordPress.

Don’t give information away

If a user uploads a file that triggers an error, make sure WordPress and PHP only display a very simple error message. Avoid displaying sensitive information like file paths, WordPress installation details, or server configuration information. This information could be exploited by a hacker. Hackers will use many different techniques to obtain error messages from your website including uploading files that are the wrong format, too large, or which have a very long filename.

Add a CAPTCHA to your forms

Adding WordPress CAPTCHA plugin to your site prevents cybercriminals from using your forms for DoS attacks.

Force uploads to be delivered in the correct file format

One of the biggest problems with handling uploads in is that hackers can hide executable code within image file formats. You can overcome this issue by forcing the web server to send the correct image headers before you display an image on your website. For example, the following will force the image to be displayed as a png, ignoring any executable code:

$data = file_get_contents(‘/home/potentially-dangerous-file.png’);
header('Content-Type: image/png');
header('Content-Length: '. strlen($data));
header('X-Content-Type-Options: nosniff');
echo $data;

You can also process uploaded images using image manipulation software like GD. By opening the image and re-saving it, you will remove any executable content.

Use a virus scanner on your server

Server-side virus scanners can detect file uploads that contain malware, trojans and viruses. The most common application for this task is ClamAV, an open source antivirus engine. Make sure it is configured to automatically scan uploads that are added to your web server.

Darius S.

Similar Posts

WordPress 5.0 to 5.0.1

WordPress 5.0 and its vulnerabilities found in the first week of release

The long awaited WordPress version 5.0 has finally become available from the 2018 December 6. Some users waited for this version with ...

WordPress Security category

WordPress security and performance – two closely related subjects

WordPress security and WordPress performance are two main topics that bother website owners every day. Everyone wants a fast and secure ...

WordPress site hacked after restore

My WordPress website got hacked after restore. Again! Why?

Quite often we hear about the repeated security incidents related to WordPress sites. This is not something specific to WordPress sites, ...

2 Comments

Michael Greene

new beginning for me any advise?

Darius S.

Hello Michael, how can we help you? What troubles or questions do you have regarding WordPress security? We will be glad to answer all your questions.

Comments are closed.