The FBI today, issued a warning to WordPress users about their Content Management Systems (CMS), as they could be at risk from ISIS supporters intent on making public statements by defacing websites using one of the world’s most popular publishing platforms.
Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS).
The Public Service Announcement went on to say that website defacements have affected the web sites of news organizations, commercial entities, religious institutions, federal, state & local governments, foreign governments, and a whole host of other domestic and international Web sites and although the hacking attempts were what could be termed ‘low-level hacking’ interruptions, they are nevertheless disruptive and could be costly in terms of loss to businesses revenue and expensive, particularly to small business having to spend on technical consulting services to repair the damage, and protect against further attack.
At the heart of the threat are the vulnerabilities of the plug-ins deployed on almost all websites using WordPress, which may facilitate, unintentionally malicious attacks. Attacks on WordPress websites in the past have exploited these vulnerabilities, and as a result software patches are available for identified vulnerabilities, but new plug-ins are created daily by users the world over and offered from plug-in marketplaces.
These marketplaces are used not just by website owners, but by WordPress theme builders and consultants. As a result, although a website owner may not have installed a vulnerable plug-in themselves, there may be one bundled with the theme they’re using on their website, or a contractor or consultant may have installed one to add a feature to an end-users site.
A subsequent successful WordPress hack may result in an individual getting unauthorised access to an entire list of subscribers or personal data of website visitors, and they could in turn install malicious software to transfer data to a third party on an ongoing basis. Or they may just be happy to deface a website with a politically inspired message.
What to do
Firstly, make sure your WordPress Plugins are using the most up-to-date versions. When logging in to WordPress, available updates will be displayed and you should update them, particularly if you’re aware of any discussion on vulnerabilities. If you’re not upgrading for fear of an incompatibility, you can always disable a plug-in and step back to an older version.
Finally, make sure your website is hosted by a a professional WordPress hosting company. Many WordPress developers use their own server set-up, and it’s unlikley you will be getting world-class hosting and security from a developer, regardless of how good their design skills are. WPEngine offers the most secure WordPress hosting we know, and it’s a service like this that proactively monitors potential exploits that can help keep your site safe from hackers, and prevent service interruption or at best, a red face.
External Links & References
- Full text of the FBI Service Announcement
- WP Engine & WordPress security
- One Million Sites Imperiled by WordPress plug-in : Ars Technica
[su_box title=”FBI Recomendations” box_color=”#e54343″]
– Review and follow WordPress guidelines:
– Update WordPress by patching vulnerable plugins: https://wordpress.org/plugins/tags/patch
– Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack
– Confirm that the operating system and all applications are running the most updated versions