If you are running a WordPress site, please be aware that the popular site builder and blogging platform is a popular target of cyber-criminals. This is due to it’s popularity as a do-it-yourself design tool, and it’s ubiquity (about 20% of Internet sites are coded in WordPress), and the fact that many WordPress site managers do a poor job of keeping the WordPress version updated properly. When you add into it the themes and plug-ins that also need updating to maintain good security practices, there are opportunities galore to take over and use WordPress sites for a variety of nefarious purposes.
The FBI recently warned that the Islamic State of Iraq and Syria (ISIS) is hijacking WordPress sites for purposes of defacement and propaganda distribution.
“The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites.
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.”
If you are managing a WordPress site, we are providing a short list of management tips below. This will help keep your site secure, and functioning properly.
- Keep WordPress updated to the latest version.
- Keep your theme updated as well.
- Limit the use of plug-ins to essential site features, remove extraneous or unused plug-ins, and keep them updated to the most recent version.
- Make sure every site user has their own user account, and remove unused accounts promptly.
- Use strong passwords with more than 10 characters.
- Require https for admin access and other logins.
- Generate complex secret keys for your wp-config.php file.
- Use a good WordPress backup plug-in so you can quickly restore a compromised or defaced site.
- Use a Web Application Firewall. (OWASP defines a web application firewall (WAF) as “an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked.”)
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com