Starting from version 3.8.3, NinjaFirewall (WP and WP+ Edition) will attach a PHP backtrace to some important email notifications sent to the administrator. The option can be found in the “Event Notifications” page and is enabled by default:
Why a backtrace? Well, let’s consider the following scenario: Hackers gain access to the victim’s FTP server and use it to backdoor a file. Their malicious code is injected into the
footer.php script of the WordPress Twenty Nineteen theme:
The above code can be triggered by sending a
$_POST['h4ck3r'] request to the index page of the blog. It will first create a “hacker_name” user account using the
wp_create_user() function line 15, and then will give it full administrator privileges line 17.
If hackers try to activate the backdoor on a website where NinjaFirewall is installed, they will get blocked by the firewall and the administrator will receive the following notification:
NinjaFirewall has blocked an attempt to create a user account: Blog: http://example.org/ Username: hacker_name (blocked) User IP: 192.168.43.101 SCRIPT_FILENAME: /home/wp/index.php REQUEST_URI: / Date: March 17, 2019 @ 05:14:01 (UTC +0700) A PHP backtrace has been attached to this message for your convenience. NinjaFirewall (WP Edition) - https://nintechnet.com/ Support forum: http://wordpress.org/support/plugin/ninjafirewall
So far so good, it was blocked and we can see that hackers sent a request to the index page in order to create a “hacker_name” user account (the firewall log will show that is was a POST request). But we still don’t know where is that backdoor and what exactly happened under the hood. That’s where the PHP backtrace really comes in handy. Here’s the one that was attached to the notification for the above malicious attempt:
As you can see, it shows the script where the backdoors is located,
/home/wp/wp-content/themes/twentynineteen/footer.php, the call to
wp_create_user() and its line number (15), and even the function arguments.
The PHP backtrace will be attached to the following email notifications:
- When NinjaFirewall has blocked an attempt to create a user account.
- When NinjaFirewall has blocked an attempt to gain administrative privileges.
- When NinjaFirewall has blocked an attempt to modify some important WordPress settings by a user that does not have administrative privileges.
You can select between three different verbosity levels:
- Low Verbosity: backtrace only.
- Medium Verbosity: backtrace with the “args” index.
- High Verbosity: backtrace with the “args” and “object” indexes.