WordPress Theme Scanning
Noticed on one of our clients someone was trying to scan the theme directory looking for style.css files that might exist. I would imagine this is to find themes installed, and their version numbers which would then allow the person scanning to use a known exploit to break into a WordPress installation.
I caught this because I have the ‘Redirection’ plugin installed and set to log all accesses that result in a 404 error – usually I use this to put in redirects to stop the visitor getting a ‘page not found’ message. In this instance it has helped highlight someone trying to hack the site.
Sample redirection log:
| Jan 7, 2012 | ​/wp-content​/themes​/vibrantcms​/style.css | 62.205.150.221 | |||
| Jan 7, 2012 | ​/wp-content​/themes​/thick​/style.css | 94.244.60.171 | |||
| Jan 7, 2012 | ​/wp-content​/themes​/therapy​/style.css | 117.203.9.147 | |||
| Jan 7, 2012 | ​/wp-content​/themes​/thejournal​/style.css | 46.180.211.171 | |||
| Jan 7, 2012 | ​/wp-content​/themes​/suitandtie​/style.css | 114.25.38.108 | |||
| Jan 7, 2012 | ​/wp-content​/themes​/sophisticatedfolio​/style.css | 178.125.206.36 | |||
| Jan 7, 2012 | ​/wp-content​/themes​/slanted​/style.css | 188.112.247.128 | |||
| Jan 7, 2012 | ​/wp-content​/themes​/royalle​/style.css | 41.189.48.151 | |||
| Jan 7, 2012 | ​/wp-content​/themes​/retreat​/style.css | 213.88.102.151 |
So to stop this I:
- Installed ‘Bad Behavior’ plugin – this knows ways people try to hack your system and blocks them. Not sure if it would catch this scan attack but it catches other scanners so is always good to install.
- Remove unnecessary themes. I always leave the current theme and one of the WordPress installed themes (Twenty Ten/Twenty Eleven) – this way if the main theme breaks for some reason there’s always a fallback theme and I know these two themes are supported and maintained by WordPress. All other themes including the earlier WordPress themes 1.5 and 1.6 are removed.