PHP, or Hypertext Preprocessor, is a programming language that runs approximately 80 percent of the web. WordPress websites run on PHP, making them critically vulnerable to PHP hacks.
The language itself is open-source, which means that anyone who programs in PHP can become a “contributing member” of the open-source community who deploys and develops with it.
This is important to know because it shows just how widespread an attack on PHP could be.
On the night of Sunday, March 28, 2021, just such an attack was launched. Nikita Popov reported that two malicious commits were pushed to the php-src Git repository.
Git is a secure web development hub/community, and a Git repository is a library of code assigned to specific users on the Git network. Repositories can be either public or private.
The PHP scripting language—the backbone of 100 percent of WordPress sites—is hosted on a Git repository that was compromised, presenting a potentially dangerous compromise to all sites on WordPress. Here’s what happened and what it means going forward.
Backdoors Were Planted during the PHP Hack
These specific Git commits were done in order to plant two backdoors.
These backdoors would have effectively granted these attackers the permissions to run remote code execution attacks in two ways: through PHP code and through an HTTP header.
According to Wordfence’s security team:
In the same article, Wordfence also went into detail regarding the extent of the hacks:
What’s the Significance?
When viewing those screenshots, it’s important to note that the same code was used for both hacking attempts.
Thankfully, the Git Repo was able to catch these commits before they were released to the production version.
Otherwise, the hackers could have done a lot of damage to all WordPress websites.
Wordfence mentions that in the end, the backdoor was not well concealed, and it is likely that the attacker either expected to get caught or didn’t have the skill to conceal it.
They (Wordfence) are also not taking the threat quite as seriously due to the attribution that it was more of an inexperienced “script kiddie” executing the attack as opposed to a sophisticated full-fledged team of hackers.
This PHP Hack Does Not Affect WordPress Sites in Production
Fortunately for all of us, this hack does not affect WordPress sites in production due to the speed at which it was initially caught.
Wordfence reports that the compromised version of PHP did not and will never reach your server.
We will continue to keep you updated of any changes as the story progresses.
Screenshots: Wordfence.com / Mar 2021