Remember that blog you started a few years ago and haven’t updated? You may have lost interest but internet miscreants will still find your blog quite appealing. Blogging applications like WordPress, drupal, and joomla are all under constant scrutiny by the forces of evil. The latter are looking for outdated versions and plug-ins. Once they find even one vulnerability, they can take control of your blogging application and use it to exploit more high value targets.
Recently attackers breached the popular Linux distribution called Mint. Their entry point is believed to be a badly configured WordPress user forum. Fromm there they inserted malware into the Linux Mint 17.3 Cinnamon edition as well as seeding the user forum with scripts to infect hapless users. Anyone who downloaded that particular version during the weekend of February 21 and 22, 2016, should assume their installations are compromised. The attackers also stole a copy of the user forum database, which contains usernames and passwords. The application owners had to take the LinuxMint.com website offline.
Recently the financial giant JPMorgan Chase learned – despite its $250 cybersecurity budget – that their defense is only as strong as its weakest link. The firm contracted for a third-party vendor to develop and deploy a website for the bank’s annual charity race. The race was open not only to bank employees but also to employees of other corporations.
Hackers found a vulnerability in this low sensitivity website and exploited it to enter critical Chase systems, affecting over 76 million households and 7 million businesses. The attackers employed this foothold to look for additional weaknesses such as user credentials and certificates they could use to exploit more lucrative targets.
According to Brandon Zundel, a programmer and WordPress expert, “One of the things that amazes me is people rely way too much on firewalls and scan tools. Scan tools are great and they will get 90% of the infection but if you miss one back door, the hackers will be coming back. The only real way to clean out the hack is to hire a developer like myself or someone who knows PHP to go through every file to find the malicious code and files and get rid of it.”
What can you do to thwart these attackers? If you no longer need an application like WordPress, then remove it or shut it down. The effort to reinstall an up-to-date replacement from WordPress.org is nothing compared to the pain of ridding yourself of malware and malicious accounts infecting your computer.
If you are actively using the application, subscribe to the maintenance email list and diligently install patches and updates. Also keep the rest of the computer current with the latest updates. Frequent backups are a must: 1) make a local backup, 2) make another and keep it in a remote site, and 3) create a third backup in a cloud service.
Rename the administrative accounts and change the passwords from the default setting. Also update all your plug-ins; if a plug-in is vulnerable and there is no patch, then remove or disable it. Look for a plug-in that will monitor your site and alert you to changes. See 10 Essential Security tips for WordPress for details.
Unless you protect your blogging app, it may as well call itself “HACKME.COM.” The attackers are constantly on the prowl for unpatched applications in the hands of part-time amateurs. These steps will encourage them to move onto easier pickings.
Does this seem like a lot of hassle? Yes, it is. That is why there are a number of hosting services you can rent for a modest monthly fee. Some will offer their services for free, although the saying “you get what you pay for” comes to mind. In any case, these hosting services keep the system current and protected, so you don’t have to.
Walt Houser 