WP-Members 3.5.4.5 has been released. This is a security update. It is entirely focused on the filesystem for files uploaded through the registration/user profile form. If your install does not use the image or file field types, then this update is optional for you.
Note: version 3.5.4.5 has not been released as the production version (which remains 3.5.4.4). You can get the 3.5.4.5 version for testing here.
Background
If you use the image or file field type, the changes in this update are to make it more secure. The update includes a process that you can initiate to update any existing uploaded files to the new structure. It is important that you back up your database and file system at a minimum. It would be advisable to do a test run on a staging site prior to updating production (a good best practice that should be in place for any site updates, not just this one).
The previous (and now deprecated) file system used the user ID for the directory name. This would be easily guessable by a threat actor. The plugin does place index.php files in each directory so they cannot be browsed, but if the user used an easily guessable name for their file, such as “tax_return.pdf”, a threat actor could probe for these.
The Change
In order to prevent paths that could probed in this manner, the new structure uses a number of hashes. First, the user files subdirectory will contain a hash. Then, each user folder will be a hashed string. Lastly, each file will be renamed with a hashed result.
A new install will begin with this structure. All updated installs will use the new structure for any uploads at the point of upgrade. Existing files under the deprecated structure will remain. You will need to run the upgrade tool to move them.
- WP CLI upgrade tool – Preferred
- Admin panel upgrade tool
If you have a large number of users and/or a large number of uploaded files, I highly recommend that you use the WP CLI tool. WP CLI is fairly common among hosts now, much more so than it was 10 years ago. Using the command line option avoids any system limitations within the browser (such as memory and script timeout potential). The steps are simple and outlined in the instructions so that even a novice can do it.
What the Move Entails
The move is a two-step process. All files are saved in WordPress as an attachment post type. This contains information about the file in the wp_posts table as well as meta entries in wp_postmeta. This information is scanned in the first step to determine if there are files to move.
The first step goes through these entries and although I have called this step “move” (as opposed to step 2 “delete”), files are not “moved” in the file system – they are copied. The “move” takes place in the WordPress database by changing the location of the media in the entries for the attachment post type. This is updated to the new structure as it is created.
The system will loop through each attachment post type that matches the path wp-content/uploads/wpmembers/user_files/. For each that it finds, it will create directories following the new standard, then copy and rename the associated file.
Once complete, any errors will be displayed. If there were no errors, a success message is indicated.
Upon success, you may proceed to the second step, which is to delete the old files. Any potential insecurity is not negated simply by completing step 1 alone. You must complete step 2 as well. Step 2 will delete the old directories and files.
Note that step 2 need not be done in the admin or WP CLI process. You can delete the old /user_files/ directory manually if you need to (such as a case where your webserver does not allow the process to be run from the browser).
Why not do it all in one step?
That was considered. However, the second step is to delete the old directories and files. That is irreversible without a backup. I am certain there will be users who will skip the process of backing up their file system and run into a problem. Even if backups are available, having the deletion process as a second step allows for re-running the first step if necessary.
