FBI issue ISIS WordPress Plug-In warning

The FBI today, issued a warning to WordPress users about their Content Management Systems (CMS), as they could be at risk from ISIS supporters intent on making public statements by defacing websites using one of the world’s most popular publishing platforms.

Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS).

The Public Service Announcement went on to say that website defacements have affected the web sites of news organizations, commercial entities, religious institutions, federal, state & local governments, foreign governments, and a whole host of other domestic and international Web sites and although the hacking attempts were what could be termed ‘low-level hacking’ interruptions, they are nevertheless disruptive and could be costly in terms of loss to businesses revenue and expensive, particularly to small business having to spend on technical consulting services to repair the damage, and protect against further attack.

At the heart of the threat are the vulnerabilities of the plug-ins deployed on almost all websites using WordPress, which may facilitate, unintentionally malicious attacks. Attacks on WordPress websites in the past have exploited these vulnerabilities, and as a result software patches are available for identified vulnerabilities, but new plug-ins are created daily by users the world over and offered from plug-in marketplaces.

These marketplaces are used not just by website owners, but by WordPress theme builders and consultants. As a result, although a website owner may not have installed a vulnerable plug-in themselves, there may be one bundled with the theme they’re using on their website, or a contractor or consultant may have installed one to add a feature to an end-users site.

A subsequent successful WordPress hack may result in an individual getting unauthorised access to an entire list of subscribers or personal data of website visitors, and they could in turn install malicious software to transfer data to a third party on an ongoing basis. Or they may just be happy to deface a website with a politically inspired message.

What to do

Firstly, make sure your WordPress Plugins are using the most up-to-date versions. When logging in to WordPress, available updates will be displayed and you should update them, particularly if you’re aware of any discussion on vulnerabilities. If you’re not upgrading for fear of an incompatibility, you can always disable a plug-in and step back to an older version.

Finally, make sure your website is hosted by a a professional WordPress hosting company. Many WordPress developers use their own server set-up, and it’s unlikley you will be getting world-class hosting and security from a developer, regardless of how good their design skills are. WPEngine offers the most secure WordPress hosting we know, and it’s a service like this that proactively monitors potential exploits that can help keep your site safe from hackers, and prevent service interruption or at best, a red face.

  1. Full text of the FBI Service Announcement
  2. WP Engine & WordPress security
  3. One Million Sites Imperiled by WordPress plug-in : Ars Technica
FBI Recomendations

– Review and follow WordPress guidelines:

– Identify WordPress vulnerabilities using free available tools such as:

– Update WordPress by patching vulnerable plugins: https://wordpress.org/plugins/tags/patch

– Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack

– Confirm that the operating system and all applications are running the most updated versions

Related Posts
Read More

Does Blackberry’s open letter have a return address?

Tomorrow, Blackberry will release a letter to media outletss worldwide. When I got news of this tonight, I stumbled mentally for a moment. I thought it reminiscent of the "There is life after Apple" Chiat/Day letter from Steve Jobs in the Wall Street Journal 25 years ago. For a minute I allowed techno-romance to gnaw at me, but only for a minute. Tomorrow's open missal from Blackberry reminds me more of a fake letter that appeared in Chinese newspaper, The Southern Metropolis Daily a couple of months ago, and then found it's way around China via the micro-blogging Weibo.
Read More

Mavshack VOD teams up with myPhone in Philippines

Mavshack.com, the video on-demand streaming company has agreed a partnership with MyPhone, the leading distributor of phones in the Philippines. Mavshack is a leader  in streaming local content to global populations and Mavshack Philippines is the first of several content channels being delivered worldwide.  Mavshack operate a multi-platform service similar to Netflix in the Philippines, costing around 210 Philippine Pesos, the equivalent of five dollars per month.
Read More

NASA Game Changing 3D Printing success really matters

Last night I tweeted a link to the Press Release from NASA regarding their success with  testing a rocket engine injector made through additive manufacturing, or as we say these days,  3D printing. What surprised me was the reaction I got via re-Tweets, messages and people just saying 'wow!'. I think what caught people's attention was the potential highlighted by the success in NASA's test, the potential for manufacturing and for business.
Read More

Social Media: quality always tops quantity

In recent years I have had the privilege to speak at a number of different events on Social Media. Typically the area of greatest interest has always been Facebook. The same question always pops up during the Q&A part - “I don’t have a budget for Facebook, how do I get to 100,000 fans?” To be fair, there is not one answer to this question for every industry but I will try to give you an answer that should set you on the right path.

Subscribe for the free weekly newsletter with the latest reviews and any current offers.