Open Communication With Clients Leads To Enhanced Web Security
So how did you fare during this latest wave of website hacking?
If you don’t know what I’m referring to, you probably should check your web server for rogue files — particularly if your site is built on WordPress. (Yes, that WordPress which powers an estimated 23% of all websites.) Though, we’ve also recently seen Drupal-based sites hacked with the same type of vulnerability.
In late March, we noticed one of our web servers starting to act irrationally. One of the built-in services started consuming most of the server’s resources, causing the databases to freeze up and breaking the connection between the websites on the server and the database. The end result? Websites down until we restarted the server. But then the cycle began again . . .
Around the same time, we started hearing from friends, partners, and vendors about other sites “getting hacked.” Of course, those who relayed the story didn’t know the specifics of those hacks.
Then, one of our clients mentioned that their site was being listed on a global register for spam sites. Their website is on a dedicated virtual private server (VPS), not shared hosting (i.e., GoDaddy), yet somehow a rogue file had been added to their website via Cross-site Scripting (XSS). Then, that rogue file was linked to in spam emails. Fortunately, correcting this for the client was a matter of finding and removing all of the rogue files — simple, but tedious — and then reporting back to the registrar that the problem had been addressed. They’ve now been removed from the global register of spam sites.
The later third of April started to reveal what we and others had and were experiencing: an increase in attacks targeted at WordPress sites. This is evidenced by the three updates to WordPress core over the span of six days (compared with the prior three updates covered four months). Effectively, if you have forms on your site (comment forms, contact forms, and so forth), then it is vulnerable due to long-standing miscommunication between the core WordPress developers and plugin/theme developers. If you want to read more of the minutia, the Sucuri blog has a great writeup.
To date, here are some of the more popular plugins that were vulnerable.
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In One SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
- And hundreds, if not thousands, more plugins affected…
The result of the attacks appear to be mostly benign. Rogue files are added to your site, maybe an extra line of code added somewhere that puts an unwanted link in your site navigation, or your site redirects visitors elsewhere.
So what can you do if you’ve been hacked?
Recovering from these hacks, in our experience, hasn’t been difficult — just time consuming.
- Access your site with your favorite FTP client.
- Check each folder looking for files that don’t belong.
- Delete any files you find that shouldn’t be there.
- Then, do the steps below for general site security.
- Or, call a professional.
Even if you haven’t been hacked, you should at least do the following.
- Run all updates for WordPress and plugins.
- Remove all deactivated plugins.
- Remove any plugins you don’t really need.
- Delete all unused themes except for one.
- Conduct a site audit with a security plugin (ie. iThemes Security Pro).
- Ensure the Read-Write-Execute file permissions on your site are correct.
- Then, on a monthly basis, run all updates for WordPress and active plugins.
We also highly recommend not using shared hosting. In addition to the better performance of your site, you aren’t vulnerable to the lackadaisical practices of another website owner that just happens to be on your same server. It’s also easier to secure your server when you control all aspects of it, and can make recovering from a hack easier.
When thinking about securing your site, first take a moment to think like a hacker. Most attacks are not coordinated at a single target. They are attempting to exploit a vulnerability that applies to the greatest number of potential victims. The fewer vulnerabilities you retain, and the more information you conceal about your site (ie. change your login URL), the less likely you’ll deal with the aftermath of a hack.