The Internet Is Dark and Full of Terrors

I remember it like it was yesterday. I arrived at the office early—it was the first day of summer and there were no school busses on the road. Traffic was flowing like grain through a goose. I had gone to bed early the night before, coming off of a 48-hour Game of Thrones bender. With a piping hot cup of Joe and a focus sharper than the most ancient and noble Valyrian steel, I embarked upon a quest of routine functionality tests.  We were managing a new client’s WordPress installation, which was then hosted on one of those cheapo shared platforms severely lacking in support, security and overall performance. I decided to check this site first since there wasn’t much content and it wasn’t very complex. Should have been a simple task, a real can of corn. Instead of being greeted by the homepage to which I was accustomed, I was stunned to find a strange message about a political agenda I had never heard of—complete with flags, garish colors, offensive imagery and language. I immediately attempted to log in using the admin credentials, only to find the password had been changed! I hadn’t even taken my first sip and had already been bested by a demented squad of hackers….fantastic!

Turns out there was a beta version of the site hidden six sub-directories deep running several outdated plugins and an outdated theme. Hackers exploited this vulnerability and hijacked the website for their own nefarious purposes. The Battle of Ones and Zeros, as I like to call it, lasted about two hours all told. Everything was resolved. A backup was deployed sans the corrupted beta. Once again, all was well with the world.

In April 2015, the Federal Bureau of Investigation released a Public Service Announcement to all WordPress users. It detailed how hackers, sympathetic to terrorist organizations, are using well-known technical vulnerabilities to exploit and gain access to WordPress-powered websites. If you have a website powered by WordPress, the FBI recommends the following actions be taken:

• Review and follow WordPress guidelines: 
   - http://codex.wordpress.org/Hardening_WordPress
• Identify WordPress vulnerabilities using free available tools such as:
   - http://www.securityfocus.com/bid
   - http://cve.mitre.org/index.html
   - https://www.us-cert.gov
• Update WordPress by patching vulnerable plugins:
   - https://wordpress.org/plugins/tags/patch
• Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack
• Confirm that the operating system and all applications are running the most updated versions

I’m sure it was merely a clerical error, but the Feds neglected to mention the following bullet point on their checklist:

• Contact The Bosworth Group in Charleston, South Carolina to discuss the development of your new, secure, enhanced website.

- John Prim