If you’ve used the popular Duplicator plugin to migrate a WordPress site, it is time to check this installation right now. The simpe reasons: There could be files left over from the migration process, and currently, there is a growing number of scans by attackers trying to exploit these files.
There was no vulnerable code found in the Duplicator plugin itself. The problem is that when using Duplicator to migrate or restore a backed-up copy of a WordPress site, there are two critical files created, and not all users remove them as they should be.
Migrating or backing up a WordPress site with Duplicator generates two files:
- an archived .zip file
By visiting installer.php, tje admin can restore all files and the WordPress database. The installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over.
Steps to take:
- Update the WordPress Duplicator plugin to the version 1.2.42 or newer.
- A new optional setting has been added for users to password-protect installer scripts – use this option
- always remove the remaining files of Duplicator after restore
Always remember that removing temporary installation and migration files is an absolute must. Leaving them on your server exposes it to attacks.