About a month and a half ago, it was discovered that ISIS sympathizers had found a vulnerability in WordPress—the platform used by millions to create websites and blogs. Since then, the FBI has been working diligently to identify these points of entry, where hackers continue to post ISIS propaganda. According to the FBI, the attacks are actually very simple and “entry level,” and it’s likely these perpetrators are not really ISIS member but rather those who are chasing fame by sympathizing with them. However, that’s of little comfort to the websites that have been under attack. The official FBI warning states that, “All victims of the defacements share common WordPress plug-in vulnerabilities easily exploited by commonly available hacking tools.”
There is a growing list of plug-ins that have been linked with the attacks, and the FBI encourages website managers to use free security tools in order to double check for safe installations. The agency warns that, “Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or networking servers. An attacker could install malicious software, manipulate data, or create new accounts with full user privileges for future website exploitation.” The most commonly hacked plug-ins are GravityForms (v. 1.8.2) and RevSlider (v. 4.2).
Sucuri, a security provider for WordPress, has also been involved in helping to minimize attacks. In one of the company’s official blog posts it’s noted that, “The vulnerabilities being exploited appear to be from older versions of the plugins that have yet to be patched. We are not aware of any new vulnerabilities in either of the plugins.” This is also a reminder to update plug-ins, software and other tech pieces that are constantly evolving. Sucuri also points out that, although RevSlider is by far the most hacked plug-in with GravityForms coming in second, Wp Symposium, Mailpoet, Fancybox and a host of other plug-ins have also been used as entry points. “This list is not exhaustive at all,” warns Sucuri, “and it seems the attackers try to exploit whatever they can get their hands on, but it gives you an idea of what they are looking for.”
The FBI, a far cry from being a technical expert agency, doesn’t (and can’t) give much actionable help to WordPress users. That’s why Sucuri urges WordPress users that updates aren’t enough. Active security measures have to be taken, which includes monitoring on a constant basis. “You have to leverage low-privileged users for most of your actions, you have to monitor your logs, you have to use good passwords, you have to audit the plugins and themes you are using.” It sounds like a lot of work, and it is. That’s why, although many WordPress themes are free, most websites can’t get by with totally free options and no added security.
With managed WordPress hosting, some of those attacks may not have happened. With auto-updating plug-ins, that could keep a lot of hacks at bay. For providers that offer such services, it’s prime time to scoop up new clients. After all, 60 million WordPress installations are bound to come with some vulnerabilities. Most use a hosting service, but only a smidge are on WordPress hosting. Most of the time, hosts don’t get into managing client applications. However, a Service Provider Analyst with 451 Research told WHIR that, “The basic security value of managed updating and patching, and the removal of bad plugins, is a core piece of the value proposition for managed WordPress hosting.” For clients with hosts who offer this service, it might be worth looking into—for peace of mind if nothing else.