WordPress and other Content Management Systems (Joomla, Drupal etc…) allow us to leverage technology so much, many website nowadays are created by either the business owner themselves, non-technical personal or just a website designer. This opens up websites to many security issues, where they are either not kept up to date, don’t have security added (or not setup properly) and may not even have any backups of their website.
Previously, I helped a Website Design company that had 42 of their clients websites hacked, plus an additional 8 websites from another website design company sharing their server. Looking into the issue, the hacking started 4 years ago and only recently became aggressive, the server and websites lacked security, and was not kept up to date. Their security had more holes than Swiss Cheese and the hackers had a field day. The websites and server where fixed, yet the cost to have implemented the security was insignificant to the cost the fixed the issue. Also, once a server has been hacked to this extent, it is best to move the websites to another server, as there is always the chance something is left behind to regain entry.
In another scenario, a new client had a website with a security plugin, yet it wasn’t setup and still allowed the basic Brute Force attack freely, and was actively having attempts to hack in every day. Luckily, it was a novice hacker and the website was secured before entry was gained, yet it shows a little knowledge can be dangerous with security. When implementing security, you need to know why you are doing what you are doing; adding a Security Plugin doesn’t mean it will work for every scenario, especially if it is not setup properly.
I hear this a lot, “my website is hosted with X, they would look after the security right?”, No hosting company will look after all security issues. If you own a website or looking after one, you need to know what security if any has been setup for your website & server and to also know what security is needed.
Joomla (8 Year Old Vulnerability)
Recently Joomla had a vulnerability that affected all versions for the last 8 years; meaning nearly every website needed to be updated as the vulnerability was actively being exploited. In this scenario, there are precautions that can be taken, such as firewalls or security layers that help prevent issues occurring, until the website can be updated. Yet, as stated above as many websites have non-technical personal maintaining it, there is a great lack of website security, opening up websites to being hacked.
WordPress 4.4.1 Update / Plugin Vulnerabilities
The 4.4.1 update to WordPress fixes a XSS (Cross site Scripting) vulnerability. This vulnerability is now known in the wild, meaning if you have not update your WordPress website you need to ASAP.
WordPress Plugin Vulnerabilities
All of the following have vulnerabilities, these have been fixed in their latest version, so if you have not update ensure you do ASAP.
- Commentator plugin version 2.5.2 and older
- WordPress Download Manager 2.8.7 and older
- Simple Download Monitor 3.2.8
- Simple Ads Manager 126.96.36.199
Research and Training is needed by companies that have a website into what is required to keep not only the website safe, communications from the website and any data they retain of users.
With an aim to improve website security, I have listed various system and plugins that can be used to improve website security; note that these still need to be setup correctly and kept updated to the latest version to be of benefit; plus, there are more areas of owning a website such as the server that do need to be hardened to help maintain an adequate level of security.
A group of web-masters started to collaborate many years ago to create a Database of Hackers, Spammers and the like so they could filter out traffic to improve security of websites. Cloud Flare sits between your website and the users of your website, it is extremely useful and includes CDN, Optimization, Security, Analytics and website Apps; in short it will assist in the Security, may make your website load faster, reduce the load on your server, give you traffic statistics and allow you to add specific features with ease. It has a Free and Paid version. The Free version is very good, yet if you have a large website you want to keep healthy, look into their paid version.
There are several WordPress, Joomla etc… Security Plugins I will do a write up about in my next article. If you need help or would like the know about these security details, send me an email (firstname.lastname@example.org) and I will update you on the details.
Websites, Online Marketing (PPC/SMM) and Cyber Security