In times of war, you may be asked what you can do for your country. In modern times, your country may be asking you to do your part by updating your WordPress plugins.
The United States' Federal Bureau of Investigation (FBI), through the Internet Crime Complaint Center (IC3), issued a public service announcement last week recommending website administrators to update their Wordpress sites. More specifically, the bureau wants you to update your third-party WordPress plugins.
Why is the FBI worried about your content management system? Apparently, continuous website defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). According to the FBI, the defacements have affected website operations and the communication platforms of:
- News organizations
- Commercial entities
- Religious institutions
- Federal/state/local governments
- Foreign governments,
- A variety of other domestic and international webites.
While one wouldn't expect WordPress to house national or company secrets, all this unwanted disruption translates to cost in terms of lost business revenue and expenditures on technical services to repair infected computer systems.
But why is the FBI focused on WordPress and not another CMS? In part, it's because Wordpress is popular and used by many. The more sites vulnerable to known and specific exploits, the easier it is for hackers to find their target. All victims of the defacements identified by the FBI shared common WordPress plug-in vulnerabilities easily exploited by commonly available hacking tools.
Researchers continue to identify WordPress Content Management System (CMS) plug-in vulnerabilities, which could allow malicious actors to take control of an affected system. Some of these vulnerabilities were exploited in the recent Web site defacements noted above. Software patches are available for identified vulnerabilities.
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.
What should you do if you run a WordPress site? First, you should ensure that you are running the latest version of WordPress. As of this writing, that's WordPress 4.1.1. The FBI also recommends the following actions be taken:
- Review and follow WordPress guidelines for improving security (see Hardening Wordpress).
- Identify WordPress vulnerabilities using free available tools such as those provided by SecurityFocus, CVE, and US-CERT.
- Update WordPress by patching vulnerable plugins.
- Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack.
- Confirm that the operating system and all applications are running the most updated versions.
The FBI believes the perpetrators of the website defacements are not members of the ISIL terrorist organization. Instead, these individuals are hackers using relatively unsophisticated methods to exploit technical vulnerabilities and are utilizing the ISIL name to gain more notoriety. In other words, the hackers involved are likely the same type of hackers we've seen plenty of times before but only this time around they're hiding behind and using the ISIL brand of fear.
Let me end on one final note. While WordPress may be singled out in this article and by the FBI, websites using out of date software isn't just a WordPress problem, it is an Internet problem. Website owners wanting to cut corners to save costs or system administrators too lazy (or overworked) to patch their systems need to do a better job in keeping the software they use up to date. Whether you're using WordPress or any other open source or proprietary CMS, if you want to keep your website out of the headlines then you need to keep your software up to date.