NinjaFirewall (WP Edition) adds PHP backtrace to email notifications.

Revision: May 18th, 2020

Starting from version 3.8.3, NinjaFirewall (WP and WP+ Edition) will attach a PHP backtrace to some important email notifications sent to the administrator. The option can be found in the “Event Notifications” page and is enabled by default:

Why a backtrace? Well, let’s consider the following scenario: Hackers gain access to the victim’s FTP server and use it to backdoor a file. Their malicious code is injected into the footer.php script of the WordPress Twenty Nineteen theme:

The above code can be triggered by sending a $_POST['h4ck3r'] request to the index page of the blog. It will first create a “hacker_name” user account using the wp_create_user() function line 15, and then will give it full administrator privileges line 17.

If hackers try to activate the backdoor on a website where NinjaFirewall is installed, they will get blocked by the firewall and the administrator will receive the following notification:

NinjaFirewall has blocked an attempt to create a user account:

Blog: http://example.org/
Username: hacker_name (blocked)
User IP: 192.168.43.101
SCRIPT_FILENAME: /home/wp/index.php
REQUEST_URI: /
Date: March 17, 2019 @ 05:14:01 (UTC +0700)

A PHP backtrace has been attached to this message for your convenience.

NinjaFirewall (WP Edition) - https://nintechnet.com/
Support forum: http://wordpress.org/support/plugin/ninjafirewall

So far so good, it was blocked and we can see that hackers sent a request to the index page in order to create a “hacker_name” user account (the firewall log will show that it was a POST request). But we still don’t know where is that backdoor and what exactly happened under the hood. That’s where the PHP backtrace really comes in handy. Here’s the one that was attached to the notification for the above malicious attempt:

As you can see, it shows the script where the backdoors is located, /home/wp/wp-content/themes/twentynineteen/footer.php, the call to wp_create_user() and its line number (15), and even the function arguments.

The PHP backtrace will be attached to the following email notifications (provided that you enabled those options):

  • When NinjaFirewall has blocked an attempt to create a user account.
  • When NinjaFirewall has blocked an attempt to gain administrative privileges.
  • When NinjaFirewall has blocked an attempt to modify some important WordPress settings by a user who doesn’t have administrative privileges.
  • When NinjaFirewall has blocked an attempt to publish or edit a published post by a user who doesn’t have the right capabilities.

Verbosity level

You can select between three different verbosity levels:

  • Low Verbosity: backtrace only.
  • Medium Verbosity: backtrace with the “args” index.
  • High Verbosity: backtrace with the “args” and “object” indexes.