UpdraftPlus — plugin backup pho bien nhat WordPress voi hon 3 trieun cai dat — vua bi phat hien lo hong Authentication Bypass nghiem trong (CVE-2026-10795). Lo hong nay cho phep hacker chi can gui mot HTTP request la co the len quan tri vien, upload plugin doc hai va lay quyen dieu khien toan bo website. Khong can mat khau, khong can dang nhap, khong can tuong tac gi tu nguoi dung.
Minh viet bai nay ngay vi Wordfence da bao chan hon 4.987 cuoc tan cong trong vong 24 gio qua. Neu website ban dang chay UpdraftPlus ban 1.26.4 tro xuong, ban phai cap nhat ngay lap tuc.
CVE-2026-10795 La Gi Va Vi Sao No Nguy Hiem Den The?
CVE-2026-10795 la lo hong Authentication Bypass trong he thong UpdraftCentral Remote Communications (UDRPC) cua plugin UpdraftPlus. He thong nay duoc thiet ke de cho phep quan tri vien dieu khien backup, restore va migration tu xa thong qua ma hoa AES-128. Tuy nhien, hai loi ket hop da pha vo hoan toan co che xac thuc nay.
Loi thu nhat la signature verification khong kiem tra du tinh toan ven cua payload RPC. Loi thu hai nguy hiem hon — khi attacker gui mot malformed key, qua trinh giai ma tro ve trang thai mac dinh voi AES key toan so 0 (all-zero key). Dieu nay nghia la attacker co the tu ma hoa lenh RPC gia mao bang chinh cai key all-zero don gian nay, va server se chap nhan ma khong hoi.
Researcher “vtim” phat hien lo hong ngay 2/6/2026 thong qua Wordfence Bug Bounty Program va nhan thuong $5.200. Phien ban chua lo hong duoc UpdraftPlus cong bo ngay sau do.
UpdraftPlus Bị Lo Hong Nay Anh Huong Nhu The Nao?
Lo hong anh huong den tat ca phien ban UpdraftPlus tu 1.26.4 tro xuong — tuc la hon 3 trieu cai dat active tren toan cau. Day la mot trong nhung plugin backup pho bien nhat WordPress nen tam tan cong cua no la cuc ky lon.
Chuoi tan cong hoan chinh nhu sau: dau tien, attacker gui forged RPC request den endpoint UDRPC cua website. Server chap nhan vi signature gia mao pass kiem tra. Tiep theo, attacker dung RPC de upload mot file ZIP chua plugin doc hai. Cuoi cung, he thong tu dong kich hoat plugin do, attacker co quyen toan quyen PHP execution va he dieu hanh. Toan bo qua trinh nay khong can bat ky thong tin dang nhap nao.
Dac biet nguy hiem vi UpdraftPlus co quyen truy cap toan bo filesystem va database cua WordPress. Neu bi exploit, attacker khong chi kiem soat website ma con co the doc file wp-config.php lay thong tin database, tat ca password va SSH key neu co.
Cach Kiem Tra Website Co Dang Bi Anh Huong Khong?
Ban lam theo 3 buoc sau de kiem tra nhanh:
Buoc 1: Dang nhap vao WordPress Dashboard, vao Plugins > Installed Plugins, tim UpdraftPlus va xem phien ban hien tai. Neu ban 1.26.4 hoac thap hon, website ban dang o trong nguy hiem.
Buoc 2: Neu ban co quyen SSH vao server, chay lenh WP-CLI sau de kiem tra nhanh:
sudo -u www-data wp plugin list --status=active --fields=name,version,update_version --path=/var/www/thienlv.com/public_html | grep updraftplusKet qua se hien thi phien ban hien tai va phien ban moi nhat. Neu version hien tai nho hon 1.26.5, ban can cap nhat ngay.
Buoc 3: Kiem tra access log xem co dau hieu tan cong khong. Tan cong thuong goi den endpoint UDRPC. Chay lenh sau tren server:
grep -i "updraftplus" /var/log/nginx/access.log | grep -v "wp-admin" | tail -50Neu thay nhieu request bat thuong den file UpdraftPlus RPC tu cac IP khong quen thuoc, website co the da bi tan cong. Ghi lai cac IP nay de bao cao va phan tich sau hon.
Huong Dan Cap Nhat UpdraftPlus An Toan Tu A Den Z
Day la quy trinh cap nhat ma minh luon lam cho tat ca website WordPress khi gap lo hong nghiem trong nhu nay. Ban lam theo dung thu tu, dung bo buoc nao.
Buoc 1: Backup toan bo website truoc khi cap nhat
Dung than cai UpdraftPlus de backup, hoac dung lenh WP-CLI:
# Backup database va files
sudo -u www-data wp db export /tmp/backup_pre_update_$(date +%Y%m%d).sql --path=/var/www/thienlv.com/public_html
# Backup thu muc wp-content
tar -czf /tmp/wp_content_backup_$(date +%Y%m%d).tar.gz -C /var/www/thienlv.com/public_html/wp-content .Buoc 2: Thong bao dang bao tri
Neu website co traffic cao, ban nen bat trang bao tri truoc:
sudo -u www-data wp maintenance-mode activate --path=/var/www/thienlv.com/public_htmlBuoc 3: Cap nhat UpdraftPlus len phien ban moi nhat
# Cap nhat qua WP-CLI (khuyen nghi)
sudo -u www-data wp plugin update updraftplus --path=/var/www/thienlv.com/public_html
# Hoac cap nhat bang tay neu WP-CLI co van de
cd /var/www/thienlv.com/public_html/wp-content/plugins/
wget https://downloads.wordpress.org/plugin/updraftplus.latest-stable.zip
unzip updraftplus.latest-stable.zip
rm updraftplus.latest-stable.zipBuoc 4: Kiem tra phien ban sau cap nhat
sudo -u www-data wp plugin list --status=active --fields=name,version --path=/var/www/thienlv.com/public_html | grep updraftplusPhien ban phai lon hon 1.26.4 (thuong la 1.26.5 hoac moi hon). Neu van cu phien ban cu, thu xoa cache va cap nhat lai:
sudo -u www-data wp cache flush --path=/var/www/thienlv.com/public_html
sudo -u www-data wp plugin update updraftplus --force --path=/var/www/thienlv.com/public_htmlBuoc 5: Tat trang bao tri
sudo -u www-data wp maintenance-mode deactivate --path=/var/www/thienlv.com/public_htmlBuoc 6: Bat tu dong cap nhat cho UpdraftPlus
sudo -u www-data wp plugin auto-updates enable updraftplus --path=/var/www/thienlv.com/public_htmlLuu y: bat auto-update cho plugin quan trong nhu backup la can thiet, nhung ban van nen kiem tra sau moi lan cap nhat de dam bao khong xung dot theme hay plugin khac.
Kiem Tra Website Da Bi Compromise Sau Khi Cap Nhat Thi Lam Gi?
Neu website ban da chay UpdraftPlus ban lo hong mot thoi gian dai truoc khi cap nhat, ban can audit ky de dam bao khong co backdoor nao bi lac lai. Minh thuong lam 5 buoc kiem tra sau:
1. Kiem tra tai khoan administrator bat thuong:
sudo -u www-data wp user list --role=administrator --fields=ID,user_login,user_registered --format=table --path=/var/www/thienlv.com/public_htmlXem ky ngay dang ky cua tung tai khoan. Neu co tai khoan admin moi ma ban khong biet, xoa ngay:
sudo -u www-data wp user delete <user_id> --reassign=1 --path=/var/www/thienlv.com/public_html2. Kiem tra file modification gan day trong wp-content:
# Tim file bi sua doi trong 7 ngay qua
find /var/www/thienlv.com/public_html/wp-content/ -type f -mtime -7 -name "*.php" | head -50
# Tim file PHP bi an trong thu mục uploads (dau hieu webshell)
find /var/www/thienlv.com/public_html/wp-content/uploads/ -name "*.php" -type fFile PHP trong uploads luon la dau hieu nguy hiem. WordPress khong bao gio dat file PHP o do.
3. Quet malware bang Wordfence CLI hoac ClamAV:
# Quet bang ClamAV (neu da cai)
clamscan -r --move=/tmp/quarantine /var/www/thienlv.com/public_html/wp-content/
# Hoac cai Wordfence CLI
composer global require wordfence/wfcli
wfcli scan /var/www/thienlv.com/public_html/Minh da viet huong dan chi tiet ve cai dat ClamAV va quet malware WordPress tren VPS truoc do, ban nao chua cai thi tham khao them.
4. Kiem tra access log tim dau hieu exploit:
# Tim request co chu "udrpc" hoac "updraftplus" tu IP ngoai
grep -E "(udrpc|updraftplus)" /var/log/nginx/access.log | grep -v "200.*wp-admin" | awk '{print $1}' | sort | uniq -c | sort -rn | head -20Neu thay mot IP gui hang tram request, do gan chan chan la bot dang scan va tan cong.
5. Kiem tra tinh toan ven cua backup:
Vi UpdraftPlus quan ly backup, hacker co the da chinh sua backup de chen backdoor. Ban nen kiem tra thu muc backup:
# Kiem tra backup file gan day
ls -la /var/www/thienlv.com/public_html/wp-content/updraft/
# Kiem tra file backup co bi chinh sua gan day khong
find /var/www/thienlv.com/public_html/wp-content/updraft/ -type f -mtime -7Neu phat hien bat thuong, xoa backup cu va tao backup moi ngay sau khi da don dep sach.
Cach Ngan Chan Tan Cong Tuong Tu Trong Tuong Lai?
Cap nhat plugin la buoc phai lam ngay bay gio, nhung de bao ve lau dai, ban can them nhieu lop phong thu. Dua theo bao cao Patchstack State of WordPress Security 2026, 87,8% hosting khong chan duoc vulnerability attack — tuc la ban khong the chi phu thuoc hosting.
Lop 1: Web Application Firewall (WAF)
Cai dat Wordfence hoac Cloudflare WAF de chan cac request bat thuong den endpoint UpdraftPlus RPC. Wordfence da phat hanh firewall rule cho CVE-2026-10795, ban chi can dam bao rule do dang bat.
Lop 2: Chan truy cap RPC tu ben ngoai
Neu ban khong dung UpdraftCentral, hay chan hoan toan endpoint RPC nay. Them rule vao Nginx:
location ~* /wp-content/plugins/updraftplus/includes/.*\.php$ {
deny all;
return 403;
}Lop 3: Gioi han wp-content qua .htaccess (Apache)
# Chan truy cap file PHP trong uploads (ngan webshell)
<Files *.php>
Order Deny,Allow
Deny from all
</Files>Lop 4: Monitoring va alert
Cai dat Fail2Ban de tu dong block IP co nhieu request bat thuong. Cau hinh cron job gui email canh bao khi phat hien file PHP moi trong wp-content:
# Crontab - kiem tra file PHP moi moi gio
0 * * * * find /var/www/thienlv.com/public_html/wp-content/ -name "*.php" -mtime -1 -type f | mail -s "[ALERT] New PHP files detected" [email protected]Loi Thuong Gap Khi Cap Nhat UpdraftPlus Va Cach Khac Phuc
Loi 1: “Plugin update failed — download failed”
Nguyen nhan thuong la server khong download duoc file tu wordpress.org. Kiem tra ket noi mang:
curl -I https://downloads.wordpress.org/plugin/updraftplus.latest-stable.zipNeu khong ket noi duoc, ban can kiem tra firewall hoac DNS cua server.
Loi 2: Website bao “500 Internal Server Error” sau cap nhat
Co the do permission hoac owner cua file plugin bi sai. Sua lai:
chown -R www-data:www-data /var/www/thienlv.com/public_html/wp-content/plugins/updraftplus/
find /var/www/thienlv.com/public_html/wp-content/plugins/updraftplus/ -type d -exec chmod 755 {} \;
find /var/www/thienlv.com/public_html/wp-content/plugins/updraftplus/ -type f -exec chmod 644 {} \;Loi 3: Backup khong chay sau cap nhat
Vao Settings > UpdraftPlus Backup, kiem tra thiet lap cron. Chay lenh kiem tra:
sudo -u www-data wp cron event list --fields=hook,next_run_relative --path=/var/www/thienlv.com/public_html | grep updraftNeu khong thay cron job nao, go to Settings > UpdraftPlus Backup va Save lai thiet lap de tao moi cron schedule.
Loi 4: Quet malware bao “false positive”
ClamAV hoac Wordfence co the bao false positive cho file chinh cua plugin. Khong xoa file goc. Thu quet file do tren VirusTotal de xac nhan. Neu la false positive, them vao whitelist cua scanner.
Tom Lai — Lam Gi Truoc Khi Tat May Tinh Dem Nay
Neu ban doc den day va chua cap nhat UpdraftPlus, day la 3 viee ban phai lam ngay bay gio:
Thu nhat, kiem tra phien ban UpdraftPlus tren tat ca website WordPress cua ban. Thu hai, cap nhat len 1.26.5 tro len ngay lap tuc. Thu ba, kiem tra access log xem co dau hieu tan cong khong — neu co, audit toan bo website theo 5 buoc minh huong dan o tren.
Lo hong CVE-2026-10795 khong phai loai ma ban co the “doi mot conga” de cap nhat. Trung binh chi can 5 gio tu khi vulnerability duoc public den khi mass exploitation bat dau theo bao cao Patchstack 2026. Moi gio tre la mot nguoi khac co the da upload plugin doc hai len website cua ban.
Bao mat WordPress khong phai viec lam mot lan roi bo — no la qua trinh lien tuc. Plugin backup la chinh phien ban backup cung co the tro thanh con duong ngan nhat de hacker vao website cua ban, ngay ca khi hosting ban re nhat hay plugin ban tin nhat cung khong ngoai le.
