The importance of keeping WordPress up to date
On February 1, 2017 WordPress announced that the most recent version of the WordPress core included a security fix. Since WordPress is updated regularly and most updates contain some sort of security patch, very little attention was paid at first. However, within days the number of reported WordPress hacks skyrocketed as the hacking community determined how exploitable the patched bug was. Several hackers engaged in a contest to see who could hack the most pages, with the total number of hacked pages reaching an astounding 2 million within a few days. It should be noted that these numbers are for a very specific “defacement” campaign where the hackers inject an image and some meta data on to a site’s home page. Not only were the sites disfigured, but the Google Search results were tarnished as well. WordFence has a great blog post detailing the specifics of the hacking campaign.
This is a perfect example of why WordPress site owners need to be diligent about keeping WordPress up to date. By default most WordPress sites should update automatically for minor releases such as this, but if for some reason a site is not configured for automatic updates, or if the current version of WordPress on a site is several major versions behind, outdated and exploitable code may be present. Had all outdated sites been upgraded on the day of the release, the number of hacked sites would be a tiny fraction of what they were, and countless hours of frustration cleaning up hacks could have been prevented.
Regular maintenance is the key
While the aforementioned defacement exploits were quite obvious and dramatic, most were fixed very quickly because of their visibility. A quick glance at a site could confirm something is seriously amiss. However, like a virus in the wild it seldom does a hacker good to have such a visible exploit; more and more exploits are designed with stealth in mind to prevent observation and keep the site hacked.
One new technique is to inject some fake analytics tracking code on to a site. This script will then load several off-site pages behind the scenes, which will then increase page visits for those pages and increase revenue for the hacker. It is very clever as the casual site visitor may never notice anything is amiss, yet there is the possibility of being infected with malware from these parasitic sites.
Another recent exploit is to use a benign-appearing file to perform all the hacker’s dirty work. For example, there is a known exploit that uses a file called paypal_icon.jpg to run a script to steal credit card data. Even a person very familiar with the site’s file system would probably not think twice about a file with that name being used for malicious purposes.
To defeat examples like the above, the most important step is to keep everything up to date and secure to prevent exploits like these from happening in the first part. The second step is to have the site professionally maintained such that any “behind the scenes” malware will be found and eradicated quickly, as opposed to letting it go unchecked. Periodic scanning with malware-detection software is a must.
While WordPress tends to draw a lot of unwanted attention, some very simple guidelines and a bit of diligence can do wonders for keeping a site secure.