Alibaba Cloud prompts that WP exists

Alibaba Cloud often sends emails saying that there are some vulnerabilities that need to be fixed, and that the repair installation package is ready, hehe! In fact, the prompt service is free, but repairs require payment. ImageMagick security vulnerabilities have indeed been revealed recently. If we have installed ImageMagick components in our WEB environment, we need to check whether there are vulnerabilities and upgrade and solve the problem together. If we have not installed ImageMagick, we can completely ignore it, because this WP_Image_Editor_Imagick vulnerability is not native to the WP program. It will only be exploited if ImageMagick is installed without a patch, so we need to fix it.

First, check whether there is an ImageMagick vulnerability

convert ‘https://example.com”|ls “-la’ out.png

If it indicates that the execution is successful and there are no errors, it means there is a vulnerability and we need to upgrade the component. If it prompts an error, or we have not installed ImageMagick at all, then there is no problem (you don’t need to read the following).

Second, patch WP_Image_Editor_Imagick

If you set up your own server and there is a vulnerability in ImageMagick installed, the best way is to upgrade to the latest version. The temporary solution to the WP vulnerability only requires modifying one line of code.

1. Find line 2898 of wp-includes/media.php

2. Modify files

$implementations = apply_filters( ‘wp_image_editors’, array( ‘WP_Image_Editor_GD’, ‘WP_Image_Editor_Imagick’ ) );

Just swap the priorities of the two libraries. In this way, we can see that it has been repaired after re-verification in the Alibaba Cloud backend.

In summary, this is only a temporary solution. The most direct way is to upgrade WP to the latest version.

PS: Supplementary information

If we are a virtual host, the hosting provider needs to be responsible for this. Ask the service provider whether it has installed and updated to the latest version of the patch. If ImageMagick is installed and upgraded to the latest version, there is generally no problem. Here, according to the official solution, if we build our own server, we can also solve it through this method.

1. Modify the configuration file

/etc/ImageMagick/policy.xml

2. Add script

This official method disables ImageMagick.

Recommended site search: domain name registration price, website domain name query system, domain name registration website, how to register a domain name, php space application, icp registration website, website registration domain name query, US vps server, free web server website, foreign free website server ,