WordPress Security Worries
It is estimated that WordPress, the popular blogging and Content Management System, is now behind up to 20% of all websites on the Internet. Whatever the figure it is well into 10’s of millions of websites running on the WordPress platform. That in itself attracts less savoury attention for those that want to exploit websites, just from the sheer numbers.
The WordPress platform has made it simple for people to build their sites and get a presence online. However WordPress defaults to a very ‘open’ platform which is highly vulnerable to security exploits. This has led to numerous WordPress based sites being compromised in many different ways. It is no longer a case of ‘IF’ you will be attacked but ‘WHEN’.
This can lead to a variety of problems such as –
- Defaced site
- Your traffic maybe ‘hijacked’
- Google identifies the site to be running ‘malware’ which will then get blacklisted and removed from its index.
- Loss of traffic
- Deletion of data
- Identified as email spammers and blacklisted
- Legal exposure to data loss
None of these things are good and they take and money to recover from.
During August, a large hosting company in the UK experienced an attack on part of its network. They issued a statement which read –
On the evening of Wednesday 20th August, we experienced a large scale attack to our Linux Hosting network.
The purpose of this attack was searching for known exploits on database driven CMS based websites, such as WordPress, Drupal and Joomla.
While the attack was ongoing, multiple customers on Linux Hosting would have experienced speed and performance issues (including blank pages and 500 errors when visiting their websites), which was a direct result of the increased load and resource consumed from the third party attack.
The attack has since been blocked and isolated, though this morning we are seeing reports from some customers where they are still experiencing faults on their websites, indicative that their websites were compromised from having insecure features or plugins that were exploited.
Symptoms include:
– Missing or edited .htaccess files
– Domain names resolving to install.php pages
– Errors trying to connect to databases with PHPMyAdmin
Please note: to stress, our network and hosting platform have not been compromised. The attacks were searching individual sites for out-of-date versions of CMS software or insecure add-ons and plugins that can allow access to the areas of that specific website (often to exploit upload or email features for spamming/phishing purposes). If a site did have unauthorised access, only that specific site would be affected (i.e. a compromised site could not gain access to other sites on our platforms).
This clearly shows that these are well organised and serious attempts to compromise these popular website platforms. I run various security measures on sites and see a flow of constant attempts to break into these sites.
So what can you do to protect against these attacks?
- Always run the very latest version of WordPress
- Always run the very latest versions of your plugins and themes
- Be conservative in your selection of plugins and themes
- Delete the admin user and remove unused plugins, themes and users
- Make sure every user has their own strong password
- Do not publish content as an admin user – use editor
- Use a Captcha or two factor authentication on login
- Lock down critical WordPress files such as install.php and wp-config.php
- Lastly, make sure you have a full site backup including the database which the full site can be restored from.
These are a some of the most important things you need to but this is not exhaustive by any means.