wordpress agency, wordpress agency for development, enterprise wordpress, wordpress website, wordpress developer, make a website, wordpress sites, wordpress blog, wordpress for dummies, wordpress website development, wordpress website design, wordpress design, wordpress web design, wordpress help, wordpress designer, premium wordpress themes, create a wordpress website, wordpress plugin development, wordpress theme development, build a wordpress website, wordpress website templates, wordpress web, woocommerce plugin, wordpress free website, wp themes, setting up a website, wordpress web development, wordpress homepage, wordpress cms, best wordpress sites, custom wordpress theme, wordpress for beginners, best wordpress websites, using wordpress, wordpress designs, create website using wordpress, wordpress web developer, wordpress website hosting, wordpress website examples, create new website, start a website, wordpress premium, wordpress web hosting, create wordpress, wordpress customization, wordpress plugin developer, create wordpress theme, custom wordpress development, wordpress guide, wordpress programming, wordpress design services, create wordpress blog, wordpress website tutorial, using wordpress to build a website, how to build a wordpress website, wordpress website developer, using wordpress to create a website, custom wordpress design, wordpress website designers, building a website from scratch, online site hosted by wordpress, wordpress website development company, hosted wordpress, i want to create a website, best wordpress, build website using wordpress, woocommerce wordpress, website using wordpress, make a wordpress website, setting up a wordpress site, start a wordpress blog, wordpress web design company, wordpress website development services, buy wordpress themes, custom wordpress, create wordpress site, wordpress web design services, wordpress themes for business, wordpress page, world press website, custom wordpress website, steps to create a website, websites created with wordpress, best way to create a website, wordpress web design for dummies, wordpress website design company, learn wordpress step by step, build wordpress site, building a website for dummies, using wordpress for a website, create a website from scratch, wordpress website themes, website design using wordpress, wordpress business website, best way to build a website, design wordpress theme, wordpress site design, wordpress professional, wordpress blog page, wordpress site development, how to create a website with wordpress, top wordpress sites, make a website from scratch, make a webpage, build your own wordpress website, setting up a wordpress blog, get wordpress, wordpress layouts, building a website, wordpress website design tutorial, wordpress free site, website creation, e commerce website, website design, create wordpress account, wordpress web development services, design a website, wordpress cms tutorial, setting up your own website, create your own website wordpress, website developer, website developers, best premium wordpress themes, wordpress free blog, top wordpress websites, create a blog website, build wordpress theme, webdesign, website design companies, best way to make a website, web agency, web developers, custom wordpress plugin development, web page design, wordpress malware, web design companies, ecommerce website design, designer websites, professional website design, wordpress best themes, wordpress create website free, professional website, custom wordpress website design, wordpress blog examples, wp plugin development, examples of wordpress sites, web development companies, web design agency, wordpress webpage, custom website design, mobile website design, best way to learn wordpress, web development agency, popular wordpress blogs, setting up a wordpress website, ecommerce web design, create your own wordpress theme, custom web design, ecommerce website development, wordpress web design theme, build your own wordpress site, website companies, website design agency, website development company, wordpress for business, web application development, best wordpress designers, custom website, web design tools, professional web design, web creation, design companies, web design studio, web development websites, new wordpress, ecommerce design, how to use wordpress to create a website, website design and development, wordpress website management, wordpress start, make a wordpress site, wordpress membership plugin, new wordpress website, web design and development, make wordpress, custom wordpress site, the best wordpress themes, ecommerce web development, wordpress application development, great wordpress sites, wordpress theme designer, new website design, wordpress step by step, web design portfolio, develop website using wordpress, create professional website, best web design, online wordpress, new wordpress site, wordpress tutorials for beginners, best web design company, create wordpress template, start wordpress website, themes wordpress, world press website design, build your website with wordpress, best wordpress blogs, learn to build a website, wordpress tutorial 2022, woocommerce shop, web design prices, premium wp themes, ecommerce website development company

Contact Us
Contact Us
Share on Pinterest Share on LinkedIn Share on WhatsApp Share on Telegram Share on SMS
WordPress Agency for Development | Vipe Studio » WordPress Hacks » Security breach in WordPress – database upgrade without an admin session

Security breach in WordPress – database upgrade without an admin session

Series:

by Ivan Popov in ; Published on 28.05.2020 Last updated on 19.07.2020

Reading Time: 2 minutes

Table of Content:

Hello WordPress folks,

Recently I experienced an interesting breach in WordPress security, which I haven’t found discussed anywhere yet (excuse me if so!).

It seems WordPress allows any single visitor to perform a database upgrade after a core system upgrade.

How is this possible?

In order to notice this your WordPress installation had to be updated recently with a version jump that requires database upgrade as well. This can happen even by itself because the majority of WordPress installations are upgrading by themselves using the wp-cron.

So let’s say your WordPress has been recently updated from v 4.9 to 5.4. Then the upgrade is usually finished with this screen, asking you to upgrade the database.

This seems pretty normal and straight forward. Yes, for sure if you are a logged-in the administrator that just performed the upgrade.

The problem – you don’t have to be logged to perform this

However, if you decide to destroy your session and open the /wp-admin as a guest visitor – you will notice the same screen. We attach it with a screenshot of our active cookies. No logged-in session is present as you can see.

 

That doesn’t seem so right. Let’s watch the whole process with the cookies tab opened in our specially recorded for the case YouTube video.

As you can see we first performed the database upgrade as a guest visitor and after that, we logged ourselves in the admin area.

  3 Ways to Identify the Theme of A WordPress Website

What are the security breaches?

For some of you, this may sound like not such a big deal, but actually, there are a couple of problematic points here:

  • Database upgrade has the potential to break the whole database if it met some conditions;
  • It gives a guest visitor a privilege to perform an action that a visitor must not be able to;
  • It exposes the fact the website has been recently upgraded and no one has logged since then;

How can we prevent this?

It seems the chance a guest visitor to face this is if the visitor intentionally tries to visit your /wp-admin or /wp-login.php sections. That means a simple admin URL change should do the trick. You can do this with almost any security plugin. Of course, if you need advanced security measures taken on your website, you can always take a look at our anti-hack service.

 

Looking for WordPress Website Development for your Business?

Our professional developers have proven experience in building high-quality business websites that outperform the competition, thanks to our meticulous attention to detail and the implementation of cutting-edge technologies. We will conduct an in-depth business analysis to ensure the website we create for you meets your highest expectations. Your site will have all of the necessary elements to assist you in increasing your ROI and sales.

Contact Us

The content of this website is copyrighted and protected by Creative Commons 4.0.

Ivan Popov

Author Ivan Popov

CEO and lead developer at Vipe Studio. Certified open-water lifeguard and a Star Wars fan.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

We have already created hundreds of profiting websites!

We have already created hundreds of profiting websites!

Subscribe to our newsletter and get our best WordPress tips!

[mc4wp_form id="8747"]