Mitigate CVE-2018-6389 WordPress load-scripts / load-styles attacks.
- Goal
- Why?
- Mitigation
- Why Not?
- Requirements
- Installation
- FAQs
- Alternatives
- Testing
- Author Information
- Feedback
- Change log
- License
Deny all requests to wp-admin/load-scripts.php
and wp-admin/load-styles.php
by Nginx.
TL;DR
it [WordPress] will use load-scripts.php (for JS) or load-styles.php (for CSS files) and the browser will get multiple JS/CSS files through a single request- so performance-wise it is better to do so and the page will load faster. This feature was designed only for the admin pages, but is also used on the wp-login.php page, so no authentication is enforced on these files.
-- How to DoS 29% of the World Wide Websites - CVE-2018-6389
# for example
https://example.com/wp/wp-admin/load-scripts.php?c=1&load[]=jquery-ui-core,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check
# same goes to https://example.com/wp/wp-admin/load-styles.php
A single request (no authentication required) could cause the server to perform >180 IO reads and concatenate all the files into a >4MB response. For small servers without proper firewalls and rate-limiting, this is enough to perform DoS attacks.
- You should really use HTTPS. If you don’t, you shouldn’t have a web site in the first place.
- When you use HTTPS, there’s no reason to not use HTTP/2.
- With HTTP/2, there’s no need to concatenate your files. It is actually an anti-pattern.
-- How to mitigate CVE-2018-6389 – the load-scripts.php DoS "attack" in WordPress
- Tell WordPress not to use concatenation of JS and CSS files
- Deny all requests to
load-scripts.php
andload-styles.php
- All the comments from otto4242 in this reddit thread
- wfalaa's (Wordfence author) comments in this wp.org thread
- Trellis 17c26fc or later
- Ansible v2.6 or later
Add this role to requirements.yml
:
# requirements.yml
- src: https://github.com/ItinerisLtd/trellis-cve-2018-6389
version: 0.1.0 # Check for latest version!
Run the command:
➜ ansible-galaxy install -r requirements.yml --force
Add the role into dev.yml
and server.yml
, immediately after role: wordpress-setup
:
roles:
# some other Trellis roles ...
- { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] }
- { role: trellis-cve-2018-6389, tags: [nginx, wordpress, wordpress-setup] }
# some other Trellis roles ...
Then, re-provision as usual:
# https://roots.io/trellis/docs/local-development-setup/
➜ vagrant reload --provision
# https://roots.io/trellis/docs/remote-server-setup/
➜ ansible-playbook server.yml -e env=<environment>
Disable concatenation:
# config/application.php OR wp-config.php OR equivalent
# normal OR outdated Bedrock:
define('CONCATENATE_SCRIPTS', false);
# Bedrock with roots/wp-config:
Config::define('CONCATENATE_SCRIPTS', false);
Then, deploy as usual:
# https://roots.io/trellis/docs/deploys/
➜ ./bin/deploy.sh <environment> <domain>
# or alternatively
➜ ansible-playbook deploy.yml -e "site=<domain> env=<environment>"
No, you can't use this on managed hosting such as Kinsta or WP Engine.
It's the hosting company's job to mitigate this kind of attacks.
- Articles on Itineris' blog
- More projects on Itineris' GitHub profile
- Follow @itineris_ltd and @TangRufus on Twitter
- Hire Itineris to build your next awesome site
Thanks! Glad you like it. It's important to make my boss know somebody is using this project. Instead of giving reviews on wp.org, consider:
- tweet something good with mentioning @itineris_ltd
- star this Github repo
- watch this Github repo
- write blog posts
- submit pull requests
- hire Itineris
➜ ansible-playbook -i 'localhost,' --syntax-check tests/test.yml
trellis-cve-2018-6389 is a Itineris Limited project created by Tang Rufus.
Special thanks to the Roots team whose Trellis make this project possible.
Full list of contributors can be found here.
Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.
Please see CHANGELOG for more information on what has changed recently.
trellis-cve-2018-6389 is released under the MIT License.