Run a self-hosted WordPress site? Then you should take security seriously.
After all, there’s been an endless stream of news reports and warnings about sites running WordPress (as opposed to those which run on wordpress.com) being exploited by hackers as they take advantage of vulnerabilities in third-party plugins.
But sadly a lot of websites running WordPress remain shockingly vulnerable.
Whether that’s because the site’s owners are ignorant of the threat, simply don’t care, or have handed administration of their website to a third-party contractor who has too much else on their plate doesn’t really matter. The end result is that you are putting your visitors at risk and your company’s reputation at stake if you don’t keep your site properly secured.
So, what can be done to raise awareness of the issue?
The FBI has certainly taken an interesting approach, issuing a “public service announcement” yesterday claiming that ISIS-supporting hackers are exploiting vulnerabilities on websites running WordPress.
Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.
Researchers continue to identify WordPress Content Management System (CMS) plug-in vulnerabilities, which could allow malicious actors to take control of an affected system. Some of these vulnerabilities were exploited in the recent Web site defacements noted above. Software patches are available for identified vulnerabilities.
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
Although the FBI (correctly in my opinion) says that the hacks are unlikely to be the work of members of ISIS themselves, they are clearly being perpetrated by sympathisers. Website defacements may appear to be comparable to graffiti, but they are still disruptive to businesses, shake customer confidence and can result in costly repair bills.
And if a hacker can deface your website, chances are that they could just as easily embed malicious code which could infect a visiting computer too – ramping up the risk significantly.
Pro-ISIS script kiddies may not be as scary a concept as a full-on attack by ISIS terrorists, but it’s still a risk.
Quite frankly, if the thought of the FBI warning of an ISIS hack of your website can’t stir you into taking your website’s security more seriously – I wonder what can.
For some useful starters on how to harden your WordPress site against attacks, check out this guide. Or if that sounds like it’s too much work, find a managed WordPress hosting service like WP Engine or Pressidium that takes the security responsibility onto its own shoulders.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.