Hackers are still aware of the AFD (Arbitrary File Download) exploits with the dl-skin.php files and is actively targeting WordPress websites which consist of vulnerable themes having that file as shown below.

/wp-content/themes/awake/lib/scripts/dl-skin.php
/wp-content/themes/barracudafx/lib/scripts/dl-skin.php
/wp-content/themes/construct/lib/scripts/dl-skin.php
/wp-content/themes/dejavu/lib/scripts/dl-skin.php
/wp-content/themes/echelon/lib/scripts/dl-skin.php
/wp-content/themes/elegance/lib/scripts/dl-skin.php
/wp-content/themes/fusion/lib/scripts/dl-skin.php
/wp-content/themes/infocus2/lib/scripts/dl-skin.php
/wp-content/themes/infocus/lib/scripts/dl-skin.php
/wp-content/themes/Insignia/lib/scripts/dl-skin.php
/wp-content/themes/manbiz2/lib/scripts/dl-skin.php
/wp-content/themes/Melos_Pro/lib/scripts/dl-skin.php
/wp-content/themes/mesocolumn/lib/scripts/dl-skin.php
/wp-content/themes/Minamaze_Pro/lib/scripts/dl-skin.php
/wp-content/Medic-Theme/lib/scripts/dl-skin.php
/wp-content/themes/method/lib/scripts/dl-skin.php
/wp-content/themes/myriad/lib/scripts/dl-skin.php
/wp-content/themes/modular/lib/scripts/dl-skin.php
/wp-content/themes/persuasion/lib/scripts/dl-skin.php
/wp-content/themes/versatile/lib/scripts/dl-skin.php

Please be aware that this is not a full list as I do not want Hackers and Script Kiddies (who watch WordPress AFD dl-skin.php Exploit videos online) to have more data to work with in their intrusion from hacked servers as it is not always easy to recover a hacked WordPress site. So far, I have spotted one compromised server belonging to Hotel Kouris in Greece that was being used to send out attacks.

Updates
Log into WordPress frequently to keep your version current. If this is not possible because you have numerous sites or little free time, you can automatically apply WordPress updates by adjusting your configuration file. Keep in mind that plugins will not update unless it is hosted on WordPress.com or you have an additional plugin that does this for you.

Protection
To make sure that your site or client’s site stays safe, always remove themes that are no longer in use on the site (except for the current default WordPress to use in troubleshooting plugins and site issues) as you will most likely not be updating the themes on a regular basis especially if they have tons of customization or is no longer being supported and updated by the developer.

Avoiding Detection
Normally it would be hard to know which website has the exploitable themes but unfortunately, Google has made it very easy with their Search Results as exploiters can search using inurl: before the theme’s names. This is why it is also important to rename the themes in the WordPress folders to something similar to below and have the Robots.txt for WordPress block indexing of your themes.

/wp-content/theme/r3d/
/wp-content/theme/y3110w/
/wp-content/theme/b1u3/
/wp-content/theme/gr33n
/wp-content/theme/0ran9e/
/wp-content/theme/purp13/
/wp-content/theme/b1ack/
/wp-content/theme/cu5t0m/
/wp-content/theme/tw3ak3d/

This way, an actual person has to visit your site to peek at your website’s view source (which you can attempt to block) as their bots will be useless attacking default paths for the known themes. I would also go a step further and edit the style.css file in your theme because the css file contains information on the theme along with the the creator which makes it easier for the attacker to lookup and download (especially if it is free or have a free version) to see what files are included and their paths and the best way to use an exploit.

To make sure that you know which themes you have installed later on after they are renamed, leave a randomly named .txt file in the theme’s folder as a reference for yourself and those that are authorized to manage the site with you.

Also, if you have numerous sites, it will be a good idea to add a tracking estimation code to your 404.php pages so that you can see what themes or plugins are being looked at by exploiters so you can avoid using them in the future or until they are patched along with adding the offending IP address to your server’s firewall.

Getting Email Alerts
Free email accounts from Microsoft (Hotmail.com, Outlook.com, Live.com, etc) is not recommended as your server will eventually get banned for the uptick in mass emails to your Microsoft account. If this is your only option, please contact Microsoft in advance and let them know what you plan to do so your server’s IP address can be added on their whitelist. If you are blocked, you will have to fill out a form and wait for your server’s IP Address to be unblocked and that often takes up to three business days and if numerous clients share the same IP Address, they will become affected as well.

The following two tabs change content below.

• Bio
• Latest Posts

Stephan Pringle

Chief Executive Officer at Sipylus

About The Author: Stephan Pringle is an Information Technology Specialist. He covers hardware and software and provides tips for you to troubleshoot and repair issues on your own. In his spare time, he writes articles about the State of New York on his Hackintosh and HackBook and that has helped him to become the top contributor of the New York City section of Yahoo! Answers.

Latest posts by Stephan Pringle (see all)

• OneUpdater by VOMPT Limited - Sunday, November 3, 2019