Fresh WordPress installations display an interface that is used to submit essential configuration data, including login and database credentials. This interface is not protected in any way, warns Future Hosting, and can be used by attackers to compromise the WordPress installation and potentially the server on which the WordPress site is hosted.
WordPress is typically installed by uploading its files to a hosting account or server. At this point, the installation is vulnerable. If an attacker is aware of the uncompleted configuration, they would be free to complete the process, creating a user with administration privileges and causing the site to use a database under the attacker’s control.
“We host thousands of WordPress sites on our VPS and dedicated server hosting platform,” said Maulesh Patel, VP of Operations of Future Hosting, “We hope to raise awareness of the risk inherent in leaving a fresh WordPress install in its default state. WordPress installations uploaded manually or via a script should be completed immediately.”
Once the attacker has control of the site, they can install custom plugins and execute arbitrary PHP code. WordFence reports that attackers are actively scanning the web for incomplete WordPress installations and using them to compromise hosting accounts.
There is no safe period during which an incomplete configuration can be exposed to the web. With a combination of automated scanning and scripts, bad actors could compromise an unconfigured WordPress site within seconds of it being uploaded to a server.
When installing WordPress on a hosting account or server, the configuration process should be completed immediately. Once the configuration and installation is complete, the site would no longer be vulnerable to these hacks.