WordPress (& Joomla) is one of the most popular Web publishing platforms. Around 40% of all websites are built on one of these popular platforms. Clients and users love them because they can edit the content themselves in-house and are so flexible. The vast catalog of plugins is part of what makes WordPress so powerful, but it can also be the Achilles heel. The subject of WordPress, Joomla and other CMS website security continues to dominate the news feeds. In fact, recently another TimThumb WordPress vulnerability was discovered. Prior to that there was an issue with the All In One SEO plugin. Hacker virus attacks seem to be never ending. The number one recommendation we can make with every WordPress/Joomla install is to be absolutely sure that it isn’t hosted on a machine that has access to anything of value. Best to ensure your website is hosted with a reputable third party hosting with strong security practices.
“For whatever reason, there is this perception among WordPress (& Joomla) users that the hardest part of the job was paying someone to build the website and that once its built, that’s it, it’s done, no further action required. Maybe that was the case seven years ago, but not today.
WordPress’ (& Joomla) ease of use is awesome, but I think it provides a false sense of assurances to end users and developers alike.
I think, though, this perception is starting to change.”
More than 70% of WordPress/Joomla installations are vulnerable to hacker attacks, primarily because owners are not taking sufficient measures to regularly update their website plug in’s and old versions of WordPress systems. They are also not taking sufficient measures of installing the best anti-virus measures. Artefact recommends that all CMS websites, in particular, should be professionally managed, including backing up the site, installing and updating latest plug-ins etc, at least once per month. Hackers don’t need to hack websites that use the current version of WordPress/Joomla; they can scan for websites that use old insecure versions and hack those. The volume of attacks seems to be growing every month. If your website goes down or has a crippling virus, it could greatly affect your business and reputation. You could be in big trouble if you don’t keep regular backups of your website, and if a hacker gains access to sensitive information on your website.
These attacks come in a number of forms some of which include DDoS (Distributed Denial of Service) attacks, to Brute Force, and more recently SEO Spam attacks.
Let’s examine these further…
1. DDoS Attack
A DDoS or Distributed Denial of Service is when a perpetrator uses a botnet to flood a server with requests. This overloads the server resulting in an inability to respond making your site inaccessible.
The perpetrator or hacker does this by recruiting tons of bots that it then uses to attack your site. Essentially infecting vulnerable computers with malware. Once the malware is activated it provides a point whereby the hacker is able to have access into that computer giving it commands at will.
The botnet then receives a directive from the hacker with the details of the site that is to be attacked. This coordinated and timed event is referred to as a DDoS attack.
Such attacks can have a huge impact on businesses from financial to hindering reputation. The downtime alone can be crippling to any business regardless of size.
DDoS attacks are on the rise and changing. The trend is changing and to perform massive DDoS attacks, hackers are leveraging the weakness of system applications to compromise them in order to boost the size of their botnet network.
2. Brute Force Attack
Brute force attacks are probably the most well known and common type of attack. They consist of a hacker attempting to gain access into a site via the password. Again we have noticed that often client passwords are too weak and easily penetrated by hackers. Those who do not change their default username or have simple passwords are at the greatest risk.
In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.
A brute force attack can actually mimic a DDoS attack and cripple your server. Such an attack has also an impact on the system resources, when an attack comes from another infected server and multiple of these infected sites are going to target your site together it actually works a bit like a ddos ; because all resources of your account get used and your account will be slowed down, with very large attacks it might even affect server performance in general via Joomla and WordPress Brute Force attacks
The best way to prevent this type of attack is by installing a script on your website that will ban the IP of a failed login. Artefact can provide and install such a script.
3. SEO Spam Attack
An SEO spam attack is whereby the hacker injects spam directly into the sites core installation directory. It is often the case that Joomla and WordPress websites are being used to hide fake stores and spam doorways. In every case, the attacker is leveraging one of the core install directories.
This type of spam injection has 3 common characteristics:
- The SPAM pages are hidden inside a random directory inside wp-includes (eg: /wp-includes/finance/paydayloan or /wp-includes/werty/)
- The spam is conditional and often based on the referrer
- We’ve noticed that, in almost every instance, the websites are running outdated WordPress installs or cPanel
Joomla and WordPress Vulnerabilities Are On The Rise
Some statistics state that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools.
With continued reports in the news it seems that these numbers are only rising. Thus, it is imperative that we take action to protect ourselves.
What Should I Do To Prevent An Attack
Artefact recommends the following steps as a way of prevent hackers:
• Install a security plugin(s)
• Use a PC that is free from malware and viruses
• Ensure your Joomla/WordPress blog is up to date
• Use strong passwords
• Use reputable hosting companies
• Don’t use themes from a source that is not trustworthy
• Backup your blogs (and full website) on a regular basis – at least once a month.