Anyone running a WordPress installation needs to be mindful of security, whether they are in charge of a corporate blog or simply running a pet project from home.
The content management system, which powers around 20% of all the sites on the internet, is itself fairly robust, offering regular security patches and software updates to plug newly discovered vulnerabilities.
But users themselves are often slow to react, failing to install updates as they become available, if at all.
By the time you factor in the plethora of available plugins – developed by third parties to add additional functionality to the basic WordPress platform – there are many potential points of failure for an attacker to target.
In fact, back in 2013, we reported how over 73% of all WordPress installations were susceptible to attack, simply because they were running with known vulnerabilities that any hacker with a modicum of knowledge could detect via automated web tools.
Add in the fact that many WordPress owners have palmed administration duties off to third parties – who may not prioritise their best interests as they would if it were their own site – and you have a situation in which site visitors, potential business partners and/or customers are placed at risk.
And there is a cost associated with that – a hacked site needs to be fixed so disruption is inevitable. Not only that but the potential loss of business could be huge and the reputational damage of a breach could be a stigma impossible to ever fully repair.
That’s why we at Naked Security are reiterating a public service announcement released by the Federal Bureau of Investigation (FBI) yesterday.
The bureau notes how hackers affiliated with the Islamic State in the Levant (ISIL) – also known as the Islamic State of Iraq and al-Shams (ISIS) – have begun defacing WordPress-based sites:
The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites.
The notice is short on technical details, failing to name any particular vulnerability, but pointing out how security holes can, and do, lead to a range of issues for both the site owner and its visitors:
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
The FBI announcement stresses that the attackers behind such defacements are not likely to be ISIL terrorists, and are using largely unsophisticated techniques, but that doesn’t mean you shouldn’t take the threat any less seriously – after all, if an attacker can deface your site, there is every chance they could gain full access and embed malware which could then pose a threat to your valued visitors.
And if you think such defacements are only targeting large companies or organisations opposed to ISIL’s aims, think again.
The FBI notes how the attacks its seen so far are not following any type of pattern based upon the website’s name or type of business operation.
Instead, the only link between defaced sites appears to be the sharing of the same common plugin vulnerabilities, all of which are easily exploited with readily available hacking tools.
While we would like to think that you already have a fully updated core installation, running alongside a set of plugins that have all been fully patched and reviewed for any potential security issues, we are also realistic enough to know that not everyone has been so informed or efficient in protecting the integrity of their sites.
So, if you have the responsibility of running a WordPress site, take heed.
As we reported in 2013, there are a number of other ways you can keep your WordPress site secure:
- Always run the very latest versions of your themes
- Be conservative in your selection of plugins and themes
- Delete the admin user and remove unused plugins, themes and users
- Make sure every user has their own strong password
- Enable two factor authentication for all your users
- Force both logins and admin access to use HTTPS
- Generate complex secret keys for your wp-config.php file
- Consider hosting with a dedicated WordPress hosting company
- Put a Web Application Firewall in front of your website