Anyone running a WordPress installation needs to be mindful of security, whether they are in charge of a corporate blog or simply running a pet project from home.
The content management system, which powers around 20% of all the sites on the internet, is itself fairly robust, offering regular security patches and software updates to plug newly discovered vulnerabilities.
But users themselves are often slow to react, failing to install updates as they become available, if at all.
By the time you factor in the plethora of available plugins – developed by third parties to add additional functionality to the basic WordPress platform – there are many potential points of failure for an attacker to target.
In fact, back in 2013, we reported how over 73% of all WordPress installations were susceptible to attack, simply because they were running with known vulnerabilities that any hacker with a modicum of knowledge could detect via automated web tools.
Add in the fact that many WordPress owners have palmed administration duties off to third parties – who may not prioritise their best interests as they would if it were their own site – and you have a situation in which site visitors, potential business partners and/or customers are placed at risk.
And there is a cost associated with that – a hacked site needs to be fixed so disruption is inevitable. Not only that but the potential loss of business could be huge and the reputational damage of a breach could be a stigma impossible to ever fully repair.
That’s why we at Naked Security are reiterating a public service announcement released by the Federal Bureau of Investigation (FBI) yesterday.
The bureau notes how hackers affiliated with the Islamic State in the Levant (ISIL) – also known as the Islamic State of Iraq and al-Shams (ISIS) – have begun defacing WordPress-based sites:
The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites.
The notice is short on technical details, failing to name any particular vulnerability, but pointing out how security holes can, and do, lead to a range of issues for both the site owner and its visitors:
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
The FBI announcement stresses that the attackers behind such defacements are not likely to be ISIL terrorists, and are using largely unsophisticated techniques, but that doesn’t mean you shouldn’t take the threat any less seriously – after all, if an attacker can deface your site, there is every chance they could gain full access and embed malware which could then pose a threat to your valued visitors.
And if you think such defacements are only targeting large companies or organisations opposed to ISIL’s aims, think again.
The FBI notes how the attacks its seen so far are not following any type of pattern based upon the website’s name or type of business operation.
Instead, the only link between defaced sites appears to be the sharing of the same common plugin vulnerabilities, all of which are easily exploited with readily available hacking tools.
While we would like to think that you already have a fully updated core installation, running alongside a set of plugins that have all been fully patched and reviewed for any potential security issues, we are also realistic enough to know that not everyone has been so informed or efficient in protecting the integrity of their sites.
So, if you have the responsibility of running a WordPress site, take heed.
As we reported in 2013, there are a number of other ways you can keep your WordPress site secure:
- Always run the very latest versions of your themes
- Be conservative in your selection of plugins and themes
- Delete the admin user and remove unused plugins, themes and users
- Make sure every user has their own strong password
- Enable two factor authentication for all your users
- Force both logins and admin access to use HTTPS
- Generate complex secret keys for your wp-config.php file
- Consider hosting with a dedicated WordPress hosting company
- Put a Web Application Firewall in front of your website
Image of WordPress courtesy of Gil C / Shutterstock.com.
Steve
I have to say I was initially hopeful about Naked Security posts, but I am getting jaded. All the stories are just that…stories. No solutions. No real explanation of the problems.
This story was a lost opportunity to give decent information. It is a pretty average storu when you can say that the best that came out of it was yet another warning to stay up to date and avoid plugins.
Paul Ducklin
*All* the stories?
What about the ones that are explicitly published as explanations? (Try anything with “Anatomy” in the title, for example.)
As the strapline says, “News. Opinion. Advice. Research.”
Maybe the problem, as you say, is that you’re getting jaded, not Naked Security ;-)
M. Wright
Thank you for this article, For me, it is well-timed because I run a church’s site on WordPress.com. Yesterday, Bing Webmaster Tools told me it was infected with malware.
Unfortunately, the site is hosted by WordPress.com and I am unable to get anyone from support to explain how I can get rid of the malware. I am also a relative beginner who is mostly self-taught.
So, here is a person who is not only not jaded, but who is rather concerned right now, to say the least.
Keep up the good work.
Jim
I disagree, Steve. Yes, for “hot off the presses” articles like this, it will of necessity be short on fixes. (In this case, the FBI didn’t even actually specify a threat.)
But, check it out more frequently. Some of the best articles I’ve ever seen on some security topics I saw here first.
I suggest keeping an open mind for a month or two. In-depth articles come at a pace of 2-3 per month, but there’s a spectrum of them. Some, like this one, are at a high-level. More like enhanced early-warning articles. But, there are others that go deeper, and others that go deeper yet.
Glen
Well said,Jim. Some people just don’t give info a chance.
Mark Stockley
If people kept their stuff up to date we’d stop repeating the advice.
M. Wright
True, but what if everything you have is up to date and the affected site is on WordPress.com’s server, not yours? I am not using their software or plugins.
I am a relative beginner, so I must be missing something.
Joe Bob
This warning is also coming out because recently a bunch of local law enforcement agencies and cities are setting up WP installations with no idea what they are doing or thought to security and the sites were defaced…
Saheike
I don´t trust wether FBI nor ISIS as far as I can throw them because they are created by the same meshpoke
Gustavo
Security through wordpress have to be huge. For it is essential for a better experience.