Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens

Using Windows Server File Server Resource Manager’s File Screens you can block vulnerable WordPress plugins from being saved on your IIS web server. In the following example, you’ll learn how to block WP DB Backup plugin system-wide on Windows Server, read on…

File Screening Management in Windows Server

Windows Server logo by Freddy2001

Windows Server logo

As a seasoned Windows Server administrator you should already be familiar with File screens in File System Resource Manager (FSRM).

If not: File screens are used to block specific types of files from being saved on a volume or in a folder tree. To specify which files to screen, you assign one or more file groups to a file screen. The File Screening Management node of File Server Resource Manager includes all the necessary options to work with file screens.

Using a file group to block specific WordPress plugin file names

In this tutorial I walk you through setting up a file screen to block the wp-db-backup.php file. This file is part of the WordPress WP DB Backup plugin. As you might know, roughly 10% WordPress plugins is vulnerable.

WP-DB-Backup suffers from a .sql backup enumeration vulnerability due to using guessable backup file names.

Setting up the file screen

At first, in File Server Resource Manager, choose the File Screening Management option, right click and select Create File Screen…. This is where you create and edit your file screens.

Create an FSRM File Screen

Create an FSRM File Screen

In the Create File Screen window, fill out your File screen path (e.g, the location where your websites are located), and click Custom Properties under Define custom file screen properties.

Create File Screen properties

Create File Screen properties

The File Screen Properties on <path> window, here we need to create a new file group, because there is no existing file group for PHP files. For testing purposes, enable Passive screening. Click Create… to create a File Group property.

Maintain and create file groups

Maintain and create file groups

The Create File Group Properties window is where we define the files we want to disallow and block. Since this is a test, created for this post, I gave the File group an easy to remember name (block wp-db-backup.php). Fill out wp-db-backup.php under Files to include and click Add to add that file to the File Group. Leave the window by clicking OK, or add extra file names.

Create File Group Properties

Create File Group Properties

You are now back in the File Screen Properties on <path> window, where you see the block wp-db-backup.php File group. Select your newly created file screen, and click OK to return to the Create File Screen window.

Enable our created file screen for wp-db-backup.php

Enable our created file screen for wp-db-backup.php

Now, the Create File Screen window shows a confirmation of the file screen you’ve created. Click Create to save and enable the file screen.

Summary of file screen properties

Summary of file screen properties

If you wish to save the properties as a file screen template you can do so in the next window that pops up. Just fill out a recognizable template name and click OK.

Save the custom properties as a template

Save the custom properties as a template

Now it’s time for you to verify the file screen works as expected.

Interesting:   Secure WordPress with a Captcha

Test and verify the created File Screen

Testing settings is always important to make sure everything works as expected. Once your file screen is enabled, log on to your WordPress website, browse to Add Plugins and search for WP-DB-Backup. Click the Install Now button to see what happens.

Installing Plugin WP-DB-Backup 2.3.0

Installing Plugin WP-DB-Backup 2.3.0

Huh?! It installed?! What happend?! Well, in this tutorial we first set the File screen to Passive screening. A passive rule is not enforced, so the wp-db-backup.php file is still allowed on our file system. If enabled, you can find an Application Event message:

User <web user> attempted to save D:\path\to\wp-content\upgrade\wp-db-backup.2.3.0-8fQS6c\wp-db-backup\wp-db-backup.php to D:\www on the SERVER NAME server. This file is in the “block wp-db-backup.php” file group, which is not permitted on the server.

(slightly edited)

The file screen we created works exactly as expected: do not permit the wp-db-backup.php, but passively and log a message when it’s created. Time to enable Active screening.

Activate the Active screening and enforce the rule

Return to your File Screen Properties for block wp-db-backup.php and select Active screening under Screening type. Click OK to activate the file screen and exit the window.

Enable Active FSRM screening for wp-db-backup.php

Enable Active FSRM screening for wp-db-backup.php

When you try to redo your steps with installing the WP-DB-Backup plugin, you are now confronted with the message Could not copy file. wp-db-backup/wp-db-backup.php.

Plugin installation error could not copy file

Plugin installation error could not copy file

You now have successfully created a Windows Server File System Resource Manager file screen, enabled the file screen and denied a file from being saved on your file system.

Interesting:   Clear PHP opcode caches before WordPress Updates: ease the updating process

Conclusion blocking specific WordPress plugins on Windows Server using File Server Resource Manager

Some WordPress plugins are vulnerable to one or more vulnerabilities, whether it’s SQL injection, Cross Site Scripting (XSS) or something else. When vulnerabilities aren’t addressed and resolved, those plugins shouldn’t be allowed to be used in a secure hosting environment.

Windows Server provides File Screens in the File Server Resource Manager to enable you to disallow and block those plugin files, and in this tutorial I showed you how to set up and enable such an File Screen.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.