As we often state, the Web has been the great equalizer for attackers. Everyone, regardless of operating system, uses the Internet. Therefore, a lot of software is written that is usable by anyone who uses the Web, whether it's via smartphone, tablet, or desktop OS. You can often use the same browser on your phone as on your laptop, and the same plugins usually work on both platforms, too.
Content management systems are another commonality between various types of Internet users, with WordPress being one of the most well-known CMSes available. Because of its immense popularity, attackers know that exploiting it is just as effective as finding an exploit on the popular OSes. WordPress is an easily mined treasure trove for would be-attackers.
How can you protect your WordPress-powered blog or website from being compromised? In this post we'll talk about what kinds of attacks take advantage of content management systems and what you can do to protect yourself.
How Do Threats Infiltrate WordPress?
WordPress offers a couple options for using their product. You can either opt to let them host it and deal with applying updates, or you can choose to host it yourself. Many people choose to host their own WordPress installation or hire a third party to host for them, for the flexibility and customization that it allows. WordPress updates are fairly frequent (like most web-related software) and each release generally includes several security improvements. And, unfortunately, a lot of people are pretty slow about updating.
While the rate of Oracle and Adobe CVEs assigned is a whole lot higher than WordPress, Oracle and Adobe’s update processes are also a lot louder and potentially more automated for most users. (One of the dangers of marketing products as easy and newb-friendly: If you don’t also automate security updates, they likely won’t happen.) And then there’s the plethora of plugins and themes that are available out there; it’s one of the biggest draws for users, but it also presents a fairly large attack surface. Much as more moving parts in a machine means more things to break, more modules in a website (especially those that are not thoroughly vetted) can mean more ways to break into your blog.
Because WordPress is web-facing, it’s fairly trivial for attackers to use Google as a tool to scour the Web for insecure installations or modules. So all those blogs out there that have failed to do timely updates are all lined up, waiting for attackers to have their way with them. It’s no surprise when malware that uses this tactic is wildly successful. Beyond that, there’s also the good old-fashioned breaking-and-entering approach, which could mean breaking into your machine directly, or stealing your account credentials in some way. It’s sort of the familiar theme with all things security-related: If your software is outdated, or your administration-hygiene is not so great, attackers will get in and make your life unpleasant.
What Do They Do?
There are two main types of modifications attackers make on insecure installations. The first is kind of like a burglar sticking something very small and discreet in a doorjamb to keep the lock from catching, so that they can return whenever they please to do whatever they please. In short, they amend your page to add a backdoor. The second type is meant to affect the visitor’s experience, usually in a way that brings the attacker money. This can either include redirects (such as to an ad or malware on another site) or drive-by downloads that silently install malware on visitors’ machines. It could also be a simple defacement that’s the digital equivalent of spray painting graffiti on a wall, but those tend to be easy to spot and fix. Whether the modifications are creating a backdoor or affecting vulnerable visitors, they do this by adding scripts to your pages. These are usually very tiny (so you would hardly notice the change), or heavily obfuscated (so that it’s hard to tell what it’s doing). Unless you regularly check the source code for all your various website bits and pieces, you might not notice that something was amiss until people start complaining of strange behavior.
How Can I Stop Them?
As you might have gleaned from my earlier description, this is mostly solvable by simple security precautions. But it’s somewhat complicated for a couple of reasons. If you’re relying on a third party to host your installation, it can be difficult to motivate them to do the right thing, if they’re not already so inclined. This is one of those times where “voting with your pocketbook” can be very effective; if your current host is unwilling or unable to protect your site, it may be time to find a new one. If you’re hosting it yourself but your neighbor’s cousin set it up as a one-time deal, and you know nothing about how to properly secure your installation, it may be time to hire someone who can manage your site securely. But if you’re somewhere in the middle and are willing and able to do a little work to tighten up your security, here’s a few tips:
- Firewall and AV Once again, we begin the journey of adding in layers of security. No one layer is sufficient by itself, but as you lock off more points of entry, you make your machine a less tempting target. The simplest way to start is to make sure the server that’s hosting your site is locked down like any other machine you would use, which means having Firewall and AV installed. AV can detect a lot of common threats, especially if you have heuristics enabled. Firewall can detect direct attacks and newer threats.
- Choose a strong password Standard password hygiene will help you here too. Make sure you choose a strong and unique password, and change it often.
- Update all the things Making sure your machine is secure is not just about updating WordPress and all your various plugins and themes. If there is software on your machine, it needs to be updated in a timely fashion. That includes the OS, along with anything else that you have on your machine.
- Make frequent backups Backups may not seem like a preventative measure, but if you’re making regular backups on external sources, you can easily compare backups to what’s presently on your site to see if there have been modifications. And then you can use them for a less painful cleanup later.
- Remove the generic Administrator account Default accounts are a common way for miscreants to get into all sorts of things, because they can usually count on people being too lazy to bother with things that seem so trivial. Create a new Administrator account with a different name, and then delete the old, default one. Simple as that.
- Connect securely It’s a whole lot harder for someone to eavesdrop and grab your credentials when you connect to your web server if you connect via a secured protocol. So instead of just using FTP, use SFTP or SSH.
- Restrict privilege wherever you can There is a security concept called the Principle of Least Privilege, which basically means that if someone doesn’t really need access to something (such as a directory or a higher level of permission), you should lock it down. If you know that you are only going to access your blog from a certain IP address or range, you can lock it down on your firewall. If you have users that are going to access your blog but don’t need administrative privilege, you can set them up as an editor, contributor or author depending on what they need to accomplish. And if they no longer need access, be timely about disabling accounts.
- Remove software and credentials you don’t need This is similar to the previous tip, in that you’re limiting the number of risks. If there is software that you don’t really need to use, uninstall it. If there are accounts to access the blog or the machine that are not needed, remove them. The fewer moving parts and points of entry there are, the fewer ways attackers have to get in.
- Kill PHP execution
This website includes instructions for how to disable PHP scripts in the most vulnerable directories. This is not bulletproof, as they could put PHP scripts in files with different extensions. WordPress has its own write-up on hardening security for those of you who are more technically inclined.
How Can I Clean Up?
If you’re reading this in the aftermath of a compromise without recent backups, you may be in for quite a bit of work. If you had the foresight to duplicate your data beforehand, this is where your present-self is going to want to give your past-self a big high five for being so terribly clever. Assuming you’ve not made a good backup, you will need to take a more careful and thorough approach. Google has posted a fantastic, easy-to-understand description of what to do if your website has been hacked, which works excellently well for any sort of webserver, not just WordPress.
- Take the site down The first thing you need to do, to prevent further harm to yourself as well as your visitors, is to take your site offline. You don’t want the attacker to be able to connect to your machine, and you don’t want the site to continue serving bad content.
- Scan your machine Presuming that you don’t have AV on the machine already, now’s a good time to install some and do a thorough scan of your machine. It may not catch everything (some changes may not be malicious, or it could be a very new threat), but this is a good starting point and should point you in the right direction.
- Check your pages and settings Someone who’s gotten into your machine can make all sorts of changes, not just strictly-malicious ones. They may have changed your settings, they may have added new user accounts, they may have added new pages or made changes to existing ones. The more thorough you can be, the better. This is the biggest potential risk in this process – if you do not do this step thoroughly enough, an attacker may still have a foothold in your system and you’ll have to repeat the whole process in the near future.
- Lock everything down Go up and reread the previous section in this article about how to stop this sort of attack from happening. Hardening your machine may mitigate some of the risk from missing a change that an attacker has made.
- Change all your passwords As with any time you’ve found a backdoor on your machine, it’s best to assume the worst. Change the passwords for any account that has been touched on this machine, for sure. Email accounts, user accounts, financial accounts – if it requires you to enter a password, change it. It won’t cost you anything but time to go nuts with this step. If there are other users that access the affected machine, it’s a good idea to require them to change their passwords for their account on the machine as well.
- Bring it back online At this point, you’re ready to get things running again, having hopefully secured everything and restored it back to as close to its original state as possible.
With a good backup, you can take a more scorched-earth approach, and replace scanning and checking everything with simply clearing off your machine. After taking your machine offline, it’s now time to…
- Nuke and pave If you know you have a clean backup, you don’t need to scan anything or check to see whether anything has been added or changed. Simply wipe the machine and restore it from backup. If you’ve only backed up the data, rather than taking a snapshot of the machine (or if you just want to make sure everything is squeaky clean before you bring everything back up) you can securely wipe the drive and reinstall your software. This LifeHacker article has a good description for how to do this, for the major OSes.
Whether you restore from backup or reinstall from the ground up, you will now need to harden your installation to make sure this doesn’t happen again. And you’ll still want to go on a password-changing spree to make sure all your bases are covered before bringing your site back up. In the end, it’s a sucky fact of life that information security is getting so complicated, and that it’s disproportionately affecting the people that will find it most painful to recover from an attack. Having your website hacked can be a difficult and time-consuming thing to deal with. Hopefully this guide will help you prevent such a thing from happening, or help you get your blog back up and running as quickly as possible.