Vaio thang 6/2026, cong dong WordPress rung len vi mot loi bao mat nghiem trong nhat trong nhieu nam qua. UpdraftPlus — plugin backup pho bien nhat voi hon 3 trieu luong cai dat — bi lo CUVE-2026-10795, cho phep bat ky ai cung co the dang nhap vao trang WordPress cua ban duoi quyen administrator. Minh se huong dan ban tung buoc kiem tra, fix, va kiem tra xem site da bi hack chua.
Loi bao mat UpdraftPlus CVE-2026-10795 la gi?
CVE-2026-10795 la loi Authentication Bypass (bo qua xac thuc) trong UpdraftPlus plugin, anh huong den tat ca phien ban den 1.26.4. Nguyen nhan nam o ham UpdraftPlus_Remote_Communications_V2::wp_loaded — tinh nang UpdraftCentral cho phep dieu khien tu xa. qua trinh xac thuc chu ki (signature verification) co the bi bypass, va gia tri giai ma (decryption) tra ve 0 khi that bai ma khong duoc kiem tra. Ket qua: attacker co the gia mao RPC commands, chay lenh voi quyen admin, upload plugin doc hai, va fully take over site cua ban.
Tai sao loi nay nguy den the?
Ba ly do khien minh danh gia day la loi nghiem trong nhat thang 6/2026. Thu nhat, UpdraftPlus co 3 trieu active installations — toc do lan truyen se rat nhanh. Thu hai, Wordfence nhan du lieu ngay 2/6/2026 va bat dau block tan cong ngay, nghia la dang co attacks that xy ra. Thu ba, theo bao cao State of WordPress Security 2026 cua Patchstack, median time to mass exploitation chi la 5 gio — tinh tu luc disclosure den khi bi tan cong hang loat.
Cach kiem tra site co bi anh huong khong?
Ban lam theo 3 buoc sau la biet ngay. Buoc 1, dang nhap vao WordPress Admin Dashboard, vao Plugins > Installed Plugins, tim UpdraftPlus. Buoc 2, nhin vao cot Version — neu ban thay bat ky phien ban nao tu 1.26.4 tro xuong, site cua ban dang o trong nguy co. Buoc 3, neu khong nho da cai UpdraftPlus, ban co the check bang WP-CLI:
wp plugin list --status=active --fields=name,version --allow-rootNgoai ra, ban cung nen check ca nhung plugin khac vua bi lo vulnerable thang 6/2026 nay. Kirki (CVE-2026-8206, CVSS 9.8, 500.000+ site) phien ban 6.0.0-6.0.6 va WP Maps Pro (CVE-2026-8732, CVSS 9.8, 15.000+ site) phien ban den 6.1.0. Ca hai deu cho phep unauthenticated attacker lay quyen admin.
Huong dan cap nhat UpdraftPlus an toan
Day la quy trinh 5 buoc ma minh luon lam truoc khi update bat ky plugin nao, dac biet la plugin backup. Dung update vội, vi mot sai sot co the lam hong ca site.
Buoc 1: Backup toan bo site truoc khi update. Nghe co ve hai huong vi chinh UpdraftPlus la plugin backup, nhung neu no dang bi loi, ban khong nen tin tuong backup cu. Hay dung SSH, chay lenh sau de backup bang tay:
# Backup database
mysqldump -u DB_USER -p DB_NAME > /tmp/backup_$(date +%Y%m%d).sql
# Backup wp-content
tar -czf /tmp/wp-content_backup_$(date +%Y%m%d).tar.gz /var/www/yoursite/public_html/wp-content/Buoc 2: Tat cache. Vao Settings > Permalinks, click Save Changes (khong can sua gi, chi de flush rewrite rules). Neu ban dung LiteSpeed Cache, vao LiteSpeed Cache > Toolbox > Purge All.
Buoc 3: Update plugin. Ban co the update qua Dashboard > Plugins > Update Now. Hoac nhanh hon bang WP-CLI:
sudo -u www-data wp plugin update updraftplus --path=/var/www/yoursite/public_htmlBuoc 4: Verify phien ban. Sau khi update, xac nhan lai version da len 1.26.5 tro len:
wp plugin list --status=active --fields=name,version --allow-root | grep updraftplusBuoc 5: Test site. Mo trang chu, thu dang nhap admin, kiem tra trang Backup/Restore van hoat dong binh thuong. Neu tat ca on, ban da an toan.
Cach kiem tra site da bi hack chua?
Neu ban da dung UpdraftPlus phien ban vulnerable mot thoi gian truoc khi update, can kiem tra xem site da bi xam nhap chua. Mình thuc hien theo 5 buoc check sau:
Check 1: Quet users moi. Chay lenh SQL tim tat ca admin accounts. Neu co user nao ban khong nhan ra, day la red flag lon:
SELECT ID, user_login, user_email, user_registered
FROM wp_users u
INNER JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
AND m.meta_value LIKE '%administrator%'
ORDER BY u.user_registered DESC;Check 2: Quet plugins va themes moi. Attacker thuong install backdoor plugin. Check xem co file nao moi xuat hien trong wp-content/plugins ma ban khong cai:
# List recently modified plugins (7 days)
find /var/www/yoursite/public_html/wp-content/plugins/ -name "*.php" -mtime -7 -type f
# Check for unknown plugins in database
wp plugin list --allow-root --path=/var/www/yoursite/public_htmlCheck 3: Quet file malware. Dung Wordfence Scan hoac plugin security quen dict (Sucuri Scan) de quet toan bo site. Neu ban co SSH access, co the chay:
# Find recently modified PHP files (may indicate injected backdoors)
find /var/www/yoursite/public_html/ -name "*.php" -mtime -7 -type f | head -50
# Check for common backdoor patterns
grep -rl "eval(base64_decode\|eval(gzinflate\|str_rot13\|gzuncompress" /var/www/yoursite/public_html/wp-content/ --include="*.php"Check 4: Kiem tra access logs. Tim nhung request dang ngo thuong den /wp-json/updraftplus/ hoac cac endpoint UpdraftCentral. Dieu nay co the cho thay attacker da fork voi site cua ban:
# Check for suspicious UpdraftPlus API calls
grep -i "updraft\|updraftcentral" /var/log/nginx/access.log | grep -v "200\|301\|302"
# Look for admin login from unusual IPs
grep "wp-login.php" /var/log/nginx/access.log | grep "POST" | awk '{print $1}' | sort | uniq -c | sort -rn | head -20Check 5: Kiem tra cron jobs va scheduled tasks. Attacker thuong tao cron job de duy tri quyen truy cap:
wp cron event list --allow-root --path=/var/www/yoursite/public_html
crontab -l
ls -la /etc/cron.d/Bao mat WordPress 2026: 5 thuc tuong ban can biet
Theo bao cao State of WordPress Security 2026 cua Patchstack (partnerted voi Monarx), nam 2025 co 11.334 loi bao mat moi trong he sinh thai WordPress — tang 42% so voi 2024. Trong do, 17% la high severity (nghiem trong, co the bi exploit hang loat). Dua vao data nay, minh tong hop 5 thuc tuong ban can lam ngay:
1. Update plugin ngay khi co patch. Patchstack cho biet median time to mass exploitation chi la 5 gio. Nghia la, tinh tu lúc loi duoc public, chi can 5 gio la attackers bat dau tan cong hang loat. Neu ban cho 1-2 tuan moi update, rui ro la rat cao.
2. Khong tin tuong premium plugin hon. 76% vulnerability trong premium components la exploitable that. Premium plugins co 3 lan nhieu Known Exploited Vulnerabilities (KEV) hon free plugins. Ly do: premium code kem duoc security review do cong dong so voi free.
3. Su dung Web Application Firewall (WAF). Trong pentest nho cua Patchstack, chi 26% vulnerability attacks bi block boi hosting security tools. WAF rieng biet nhu Wordfence, Cloudflare, hoac Patchstack RapidMitigate la bat buoc.
4. Check premium plugins cu the. Neu ban dung plugin tu Envato (ThemeForest/CodeCanyon), can de y hon. 59% bao cao vulnerability cho premium components la high severity. Vao trang cua plugin tren Envato, check changelog xem co ban update gan day khong.
5. Mo recurring backup manual. Dua vao truong hop UpdraftPlus, mot mieng backup chinh no bi lo, ban can backup bang nhieu phuong phap. Toi thieu: 1 backup tu dong (UpdraftPlus hoac BackWPup), 1 backup manual qua SSH cron job, va 1 backup o server level (snapshot VPS).
Cau hinh server chong authentication bypass
Beyond update plugin, ban co the them mot lop bao mat o server level. Mình thuong cau hinh Nginx hoac OpenLiteSpeed de block nhung request dang ngo den cac endpoint sensitive.
Nginx — Block truy cap UpdraftPlus API tu ngoai:
# /etc/nginx/conf.d/block-updraft.conf
# Block external access to UpdraftPlus RPC endpoints
location ~* /wp-json/updraftplus/ {
allow 127.0.0.1;
allow YOUR_SERVER_IP;
deny all;
try_files $uri $uri/ /index.php?$args;
}
# Block UpdraftCentral direct access
location ~* /wp-admin/admin-ajax.php {
# Only allow POST from authenticated users
if ($request_method = POST) {
# Rate limit login attempts
limit_req zone=login burst=5 nodelay;
}
try_files $uri $uri/ /index.php?$args;
}OpenLiteSpeed — Tuong tu voi Rewrite Rules:
# Block external UpdraftPlus API
RewriteRule ^/wp-json/updraftplus/ - [F,L]
# Rate limit wp-login.php
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
RewriteRule ^/wp-login\.php - [E=limit_req:1]Luu y: Cau hinh nay chi la tang bo sung. Quan trong nhat van la update plugin. Dung bao gio chi pho thuoc vao mot lop bao mat duy nhat.
Troubleshooting: Cac loi thuong gap khi fix
Loi 1: Update xong UpdraftPlus khong hoat dong. Nguyen nhan thuong la xung dot PHP version hoac memory limit. Vao wp-config.php, tang memory limit: define('WP_MEMORY_LIMIT', '256M');. Neu van loi, check error log: tail -f /var/log/php8.x-fpm.log.
Loi 2: Backup cu khong restore duoc. Neu attacker da modify backup, ban khong the tin tuong no. Hay tao backup moi ngay sau khi update va scan. Xoa cac backup cu de tranh restore lai malware.
Loi 3: Site bi redirect sau khi fix. Day la dau hieu site da bi hack truoc khi ban update. Check file .htaccess, wp-config.php, va functions.php cua theme co code doc hai khong. Run Wordfence Scan hoac Sucuri Scan ngay.
Loi 4: Quen mat khau admin sau khi update. Dung wp-cli reset password: wp user update 1 --user_pass="new_password" --allow-root. Sau do dang nhap va doi mat khau lai ngay.
Loi 5: Cron job backup chay nhieu lan. Vao Settings > UpdraftPlus Backups > Settings, kiem tra “File backup intervals” va “Database backup intervals”. Chon Manual hoau dieu chinh schedule phu hop.
Tong ket
CVE-2026-10795 trong UpdraftPlus la reminder ngay nhac rang bao mat WordPress khong phai chuyen mot ngay mot bay. Voi 11.334 vulnerability moi moi nam va median time to exploit chi 5 gio, ban can co quy trinh update ngay lap tuc, WAF xung quanh, va multi-layer backup. Hom nay, hay check phien ban UpdraftPlus ngay, update len 1.26.5+, va run security scan. Mat 30 phut setup, danh doi 30 ngay cleanup neu bi hack.
Neu ban moi dung WordPress va chua quen voi SSH, bat dau voi bai huong dan don dep database WordPress cua minh de lam quen voi WP-CLI truoc. Security la hanh trinh dai, va moi buoc nho dem giup ban gan hon mot site an toan.
