The Internet Is Dark and Full of Terrors
I remember it like it was yesterday. I arrived at the office early—it was the first day of summer and there were no school busses on the road. Traffic was flowing like grain through a goose. I had gone to bed early the night before, coming off of a 48-hour Game of Thrones bender. With a piping hot cup of Joe and a focus sharper than the most ancient and noble Valyrian steel, I embarked upon a quest of routine functionality tests. We were managing a new client’s WordPress installation, which was then hosted on one of those cheapo shared platforms severely lacking in support, security and overall performance. I decided to check this site first since there wasn’t much content and it wasn’t very complex. Should have been a simple task, a real can of corn. Instead of being greeted by the homepage to which I was accustomed, I was stunned to find a strange message about a political agenda I had never heard of—complete with flags, garish colors, offensive imagery and language. I immediately attempted to log in using the admin credentials, only to find the password had been changed! I hadn’t even taken my first sip and had already been bested by a demented squad of hackers….fantastic!
Turns out there was a beta version of the site hidden six sub-directories deep running several outdated plugins and an outdated theme. Hackers exploited this vulnerability and hijacked the website for their own nefarious purposes. The Battle of Ones and Zeros, as I like to call it, lasted about two hours all told. Everything was resolved. A backup was deployed sans the corrupted beta. Once again, all was well with the world.
In April 2015, the Federal Bureau of Investigation released a Public Service Announcement to all WordPress users. It detailed how hackers, sympathetic to terrorist organizations, are using well-known technical vulnerabilities to exploit and gain access to WordPress-powered websites. If you have a website powered by WordPress, the FBI recommends the following actions be taken:
Review and follow WordPress guidelines:
Identify WordPress vulnerabilities using free available tools such as:
Update WordPress by patching vulnerable plugins:
- Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack
- Confirm that the operating system and all applications are running the most updated versions
I’m sure it was merely a clerical error, but the Feds neglected to mention the following bullet point on their checklist:
- Contact The Bosworth Group in Charleston, South Carolina to discuss the development of your new, secure, enhanced website.
- John Prim