WordPress 4.4.2 was released February 2. This release fixes two known security flaws.
Hot on the heels of this security release come two worrying developments. The first, reported on over at the Wordfence blog, concerns a new WordPress attack platform that makes it easier than ever for criminals to attack WordPress sites. From the article:
The attack platform once fully installed provides an attacker with 43 attack tools they can then download, also from pastebin, with a single click. The functionality these tools provide includes:
- Complete attack shells that let attackers manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
- An FTP brute force attack tool
- A Facebook brute force attacker
- A WordPress brute force attack script
- Tools to scan for config files or sensitive information
- Tools to download the entire site or parts thereof
- The ability to scan for other attackers shells
- Tools targeting specific CMS’s that let you change their configuration to host your own malicious code
The post includes a video of the attack platform in action.
Second, from Ars Technica, is a report of WordPress sites being hacked and made to download ransomware to visitors' computers.
It's not currently clear how the sites are being compromised, but it may be via an unknown zero-day security exploit. From the article:
It's not yet clear how the WordPress sites are getting infected in the first place. It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed. It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.
What can you do to protect your WordPress site? If you're running WordPress, I strongly, strongly urge you to do the following:
- Use strong admin passwords! I can not emphasize this enough. Use strong admin passwords! Criminals use automated tools to scan thousands of WordPress sites an hour looking for weak passwords. A normal WordPress install will be scanned dozens to hundreds of times a day. Use strong admin passwords!
- Update all your sites RELIGIOUSLY. When a WordPres security patch is released, criminals will go to work examining the patch to see what it fixes, then develop automated tools to automatically hack unpatched sites. You may have only 24-48 hours between when a security patch comes out and when people start using tools that will automatically compromise sites that haven't installed the patch. Turn on automatic updates. Keep on top of your site.
- Install a tool like WordFence. This free plugin will protect your site by locking out people who use known attack tools or brute-force password guessing attempts. It will notify you by email of hack attempts and updates that need to be installed.
- Install a tool like WPS Hide Login to move your login page to a hidden location, like /mysecretlogin instead of /wp-login.php. This will go miles toward securing your site.
I highly recommend you install the free Infinite WP tool as well. It's a plugin plus a Web app that will notify you of updates and allow you to update one or many WordPress sites with just one button click. This is a great way to keep on top of security patches.
Also, absolutely do not assume you're safe because you're an obscure little blog that nobody cares about. The criminals will still find you. They use totally automated tools to scan for vulnerable WordPress sites looking for installations to exploit. It doesn't matter if only you and your mom know about your site--criminals will find it and will exploit it.