Like any piece of software used by millions of people, WordPress is subject to a lot of potential security problems. While most security issues can be plugged up with simple updates (the WordPress team appears to be relatively good at plugging up holes and flaws), sometimes security issues can arise that aren’t as clear cut. Like any good website manager, you must always keep your ear to the ground when whitehat hackers and security experts publish findings about flaws in systems — especially WordPress. While it’s impossible to 100% of the time keep hackers and ne’er-do-well-ers out of your website, you certainly don’t have to make it easy for them.

What was found

RIPS Tech, a PHP security firm, found a flaw in WordPress back in November where a user of a certain security level can essentially take control of your website by deleting a WordPress core file, wp-config.php

How does it happen?

First, someone must have a user account on your WordPress installation. Whether it’s a pre-existing user account they are using, or the malicious attackers are creating their own user account, this is the first step. The user account must be level Author or above, which grants them the ability to make changes to and upload new pieces of media to the media library. The malicious user will then use a file inside WordPress’ own media library to target wp-config.php, and use WordPress’ own media library to delete the file. Since wp-config.php houses all of your setup information (i.e. your website URL, where your database is, and you can add or remove more information in this file), by deleting and re-creating this file, a malicious user can take control of your website and use it to serve their own content.

How can it be stopped?

RIPS Tech supplied code that can be appended to the current, active theme’s functions.php file. The code is meant to serve as a temporary fix until WordPress can patch the issue. The code is:

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);

    return $data;

For more information about this exploit including a video of the exploit and how it works, please visit RIPS Tech’s blog post.

Update: 7/5/18: WordPress 4.9.7 Addresses This

WordPress 4.9.7 is being pushed to all sites which addresses this exploit. The release notes state:

WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory. Thank you to Slavco for reporting the original issue and Matt Barry for reporting related issues.

Want to get updates like this delivered straight to your inbox?
Subscribe to our blog to receive website design tips, development tricks, the latest in SEO, and more. We don't share your email address with anyone and you can unsubscribe at any time.

Comments are closed.