The Federal Bureau of Investigation released alert number I-040715a-PSA today, regarding the continuous defacement and exploitation of WordPress sites perpetrated by individuals sympathetic to the Islamic State (ISIL/ISIS). The defacements have affected website operations and communication platforms across the country, as well as internationally. The WordPress CMS (Content Management System) and lazy/uninformed WordPress administrators are the target of choice, as self-hosted sites and the plugins that they deploy are often left out of date and extremely vulnerable to attack. The methods used are not sophisticated, they are the simple exploitation of vulnerable plug-ins and out of date versions of WordPress. They are using these vulnerabilities to bypass security restrictions, install malware, deface websites and manipulate data.
Industry experts have been warning administrators for a long time now… keep your sites and plug-ins up to date, if for no other reason than to protect your staff and clients from a data breach. If you’re not willing to do so, stick to Facebook.
Graham Cluley says it best in his recent post… “But sadly a lot of websites running WordPress remain shockingly vulnerable. Whether that’s because the site’s owners are ignorant of the threat, simply don’t care, or have handed administration of their website to a third-party contractor who has too much else on their plate doesn’t really matter. The end result is that you are putting your visitors at risk and your company’s reputation at stake if you don’t keep your site properly secured.”