How to remediate – WordPress WPEngine Configuration Detected

1. Introduction

WordPress WPEngine Configuration Detected refers to potentially sensitive information exposed within a WordPress installation using WPengine managed hosting. This can occur due to misconfigured access controls on the _wpeprivate directory, which may contain database credentials and account details. Successful exploitation could lead to unauthorized access to the website and its associated data. Confidentiality, integrity, and availability are all at risk.

2. Technical Explanation

The vulnerability stems from default configurations within WPengine that can leave the _wpeprivate directory accessible. This directory holds a config.json file containing sensitive information. An attacker could remotely access this file if web server permissions are not correctly restricted. There is no known CVE associated with this specific configuration issue, but it relates to common security misconfiguration flaws.

• Root cause: Incorrectly configured or overly permissive access controls on the _wpeprivate directory and its contents.
• Exploit mechanism: An attacker could directly request the config.json file via HTTP/HTTPS (e.g., https://example.com/_wpeprivate/config.json) if the directory is publicly accessible.
• Scope: WordPress installations hosted on WPengine are affected, particularly those with default or poorly configured security settings.

3. Detection and Assessment

Confirming vulnerability requires checking access to the _wpeprivate directory. A quick check can be done via a web browser. More thorough assessment involves using automated scanning tools.

• Quick checks: Attempt to access https://your-wpengine-site.com/_wpeprivate/config.json in a web browser. If the file is displayed or downloaded, the system is vulnerable.
• Scanning: Nessus plugin ID 16829 can identify this issue as an example. Other vulnerability scanners may also have relevant checks for WPengine configurations.
• Logs and evidence: Check web server access logs for requests to the _wpeprivate directory. Look for HTTP status codes 200 (OK) indicating successful file retrieval.

curl -I https://your-wpengine-site.com/_wpeprivate/config.json

4. Solution / Remediation Steps

Fixing this issue involves restricting access to the _wpeprivate directory and reviewing WPEngine security settings.

4.1 Preparation

• No services need to be stopped for this remediation, but it is advisable to perform these steps during off-peak hours. A roll back plan involves restoring from backup if access issues occur.

4.2 Implementation

1. Step 1: Log in to your WPengine User Portal.
2. Step 2: Navigate to the “Security” section of your environment settings.
3. Step 3: Review and adjust WPEngine security settings, ensuring that access to sensitive files like config.json is restricted.
4. Step 4: If necessary, add custom rules to your .htaccess file (or equivalent web server configuration) to explicitly deny access to the _wpeprivate directory.

4.3 Config or Code Example

Before

# No specific rules blocking access to _wpeprivate (example .htaccess)

After

<FilesMatch "^_wpeprivate.*$">
  Require all denied
</FilesMatch>

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

• Practice 1: Least privilege – limit access to sensitive files and directories only to authorized users or processes.
• Practice 2: Secure defaults – ensure that default configurations are secure and do not expose sensitive information unnecessarily.
• Practice 3: Regular security reviews – periodically review server configurations and file permissions to identify potential vulnerabilities.

4.5 Automation (Optional)

Automation is difficult without direct access to the WPengine environment, but configuration management tools could be used if custom rules are required.

# Example Ansible task to add .htaccess rule (requires appropriate permissions and modules)
- name: Block access to _wpeprivate directory
  copy:
    dest: /path/to/.htaccess
    content: "<FilesMatch "^_wpeprivate.*$">n  Require all deniedn</FilesMatch>"
    mode: 0644

5. Verification / Validation

Confirm the fix by verifying that access to the _wpeprivate directory is blocked.

• Post-fix check: Attempt to access https://your-wpengine-site.com/_wpeprivate/config.json in a web browser. You should receive a 403 Forbidden error or similar access denied message.
• Re-test: Re-run the curl command from the Detection section. The response code should be 403 (Forbidden) instead of 200 (OK).
• Smoke test: Verify that core WordPress functionality, such as logging in and creating posts, still works correctly.
• Monitoring: Monitor web server access logs for any attempts to access the _wpeprivate directory. An alert can be set up if requests to this directory are detected.

curl -I https://your-wpengine-site.com/_wpeprivate/config.json # Expected output: HTTP/1.1 403 Forbidden

6. Preventive Measures and Monitoring

Preventive measures include regular security audits and adherence to secure configuration standards.

• Baselines: Update your server baseline or policy to explicitly require restricted access to sensitive directories like _wpeprivate.
• Asset and patch process: Review WPengine security documentation regularly for updates and best practices. A quarterly review cycle is recommended.

7. Risks, Side Effects, and Roll Back

Incorrectly configured access controls could inadvertently block legitimate website functionality.

• Risk or side effect 1: Blocking legitimate requests – ensure that any custom rules do not interfere with core WordPress operations.
• Risk or side effect 2: Service disruption – incorrect .htaccess configuration can cause a 500 error.

8. References and Resources

Links to relevant resources.

• Vendor advisory or bulletin: https://wpengine.com/support/wp-engines-security-environment/
• NVD or CVE entry: No specific CVE is associated with this configuration issue.
• Product or platform documentation relevant to the fix: https://wpengine.com/docs/security/