WordPress Website Security

Thousands of WordPress websites have been hacked after a recent disclosure of a vulnerability in WordPress. WordPress delayed the disclosure for over a week and worked with security companies to have a patch ready, yet not all websites have patched and it’s a WordPress Hacker Smorgasbord.

Yet, even though the patch was released thousands of admins didn’t bother to update their websites either by removing the auto update or just not updating. Some admins may disable the auto update so they can run tests on patches prior to updating, yet with such patches a different approached should be deployed to ensure the website is secure.

The famous Linux distribution OpenSUSE (news.opensuse.org) was hacked, just quickly restored without further breaches in others parts of openSUSE’s infrastructure, the CIO reported.

The vulnerability is within the WordPress REST API, that allows an unauthenticated user to delete or modify pages and redirect their visitors to malicious exploits.

The security researcher at Sucuri, stated that they notices multiple campaigns running over the internet trying to find unpatched WordPress websites.

The call to update has been going for some time an if you have not updated to WordPress 4.7.2, then you should do so urgently in addition to checking your website.

This is a clear indication that websites nowadays need multiple layers of security and some suggestions to look into are:

 

By Lionel Thomas / WebsiteWebsite SecurityWordPress / 0 Comments

WordPress and other Content Management Systems (Joomla, Drupal etc…) allow us to leverage technology so much, many website nowadays are created by either the business owner themselves, non-technical personal or just a website designer. This opens up websites to many security issues, where they are either not kept up to date, don’t have security added (or not setup properly) and may not even have any backups of their website.

Previously, I helped a Website Design company that had 42 of their clients websites hacked, plus an additional 8 websites from another website design company sharing their server. Looking into the issue, the hacking started 4 years ago and only recently became aggressive, the server and websites lacked security, and was not kept up to date. Their security had more holes than Swiss Cheese and the hackers had a field day. The websites and server where fixed, yet the cost to have implemented the security was insignificant to the cost the fixed the issue. Also, once a server has been hacked to this extent, it is best to move the websites to another server, as there is always the chance something is left behind to regain entry.

In another scenario, a new client had a website with a security plugin, yet it wasn’t setup and still allowed the basic Brute Force attack freely, and was actively having attempts to hack in every day. Luckily, it was a novice hacker and the website was secured before entry was gained, yet it shows a little knowledge can be dangerous with security. When implementing security, you need to know why you are doing what you are doing; adding a Security Plugin doesn’t mean it will work for every scenario, especially if it is not setup properly.
I hear this a lot, “my website is hosted with X, they would look after the security right?”, No hosting company will look after all security issues. If you own a website or looking after one, you need to know what security if any has been setup for your website & server and to also know what security is needed.

Joomla (8 Year Old Vulnerability)

Recently Joomla had a vulnerability that affected all versions for the last 8 years; meaning nearly every website needed to be updated as the vulnerability was actively being exploited. In this scenario, there are precautions that can be taken, such as firewalls or security layers that help prevent issues occurring, until the website can be updated. Yet, as stated above as many websites have non-technical personal maintaining it, there is a great lack of website security, opening up websites to being hacked.

WordPress 4.4.1 Update / Plugin Vulnerabilities

The 4.4.1 update to WordPress fixes a XSS (Cross site Scripting) vulnerability. This vulnerability is now known in the wild, meaning if you have not update your WordPress website you need to ASAP.

WordPress Plugin Vulnerabilities

All of the following have vulnerabilities, these have been fixed in their latest version, so if you have not update ensure you do ASAP.

  • Commentator plugin version 2.5.2 and older
  • WordPress Download Manager 2.8.7 and older
  • Simple Download Monitor 3.2.8
  • Simple Ads Manager 2.9.4.116

Key Note

Research and Training is needed by companies that have a website into what is required to keep not only the website safe, communications from the website and any data they retain of users.

With an aim to improve website security, I have listed various system and plugins that can be used to improve website security; note that these still need to be setup correctly and kept updated to the latest version to be of benefit; plus, there are more areas of owning a website such as the server that do need to be hardened to help maintain an adequate level of security.

Cloud Flare

(www.CloudFlare.com)
A group of web-masters started to collaborate many years ago to create a Database of Hackers, Spammers and the like so they could filter out traffic to improve security of websites. Cloud Flare sits between your website and the users of your website, it is extremely useful and includes CDN, Optimization, Security, Analytics and website Apps; in short it will assist in the Security, may make your website load faster, reduce the load on your server, give you traffic statistics and allow you to add specific features with ease. It has a Free and Paid version. The Free version is very good, yet if you have a large website you want to keep healthy, look into their paid version.
There are several WordPress, Joomla etc… Security Plugins I will do a write up about in my next article. If you need help or would like the know about these security details, send me an email (lionel@vofer.com.au) and I will update you on the details.

Vofer

Websites, Online Marketing (PPC/SMM) and Cyber Security
www.Vofer.com.au