As the modern marketplace has come to rely on virtual media, storefronts, and relationship management, the need for greater cybersecurity—on everything from hosting servers to personal pcs to mobile devices—has increased exponentially. Gone are the days of casual GeoCities storefronts, secured only with a (it is hoped) strong password and a vigilant eye.
Mischief on the World Wide Web
Today, the World Wide Web has nearly 15 billion web pages (spread across more than 600 million websites), and cybersecurity has become big business. Terms which meant little to anyone outside the then-rarefied Information Technology field twenty or even ten years ago—hacking, phishing, Denial of Service (DoS) attack—have entered the mainstream as businesses and individuals alike find themselves on the receiving end of Internet mischief.
Yet “mischief” may not be a strong enough term. Attacks on business and government websites have increased as activists, anarchists, and (perhaps most famously) “hacktivist” group Anonymous have made compromising the websites and secure files of their unlucky targets into something of an art. And for those who find themselves on the receiving end of a hacker’s “performance piece,” the costs can be astronomical.
Government Websites Aren’t Immune
Consider the city of Naperville, Illinois, whose official city website was hacked in October of 2012. In addition to disabling email to and from the city’s employees, the attack effectively eliminated Naperville residents’ online access to utilities and social services. The city authorized nearly $700,000 to restore the site and improve security, but the ancillary costs—time, citizen confidence in the safety of their data, delays in services—are more difficult to quantify.
Of course, government websites aren’t the only popular target for attack. In what has become something of a cautionary tale for both the gaming community and cybersecurity proponents alike, Sony’s PlayStation Network was crippled in 2011 by a cyber attack which cost the company $171 million dollars and left the personal data (including names, addresses, and credit card information) of 77 million account holders exposed. The electronics juggernaut faced massive litigation, was forced to rebrand, and continues to struggle to regain customer trust.
The Threats Are Real — and Vast
The threat is real, and the stakes are high. With 86% of websites currently vulnerable to at least one vector of cyberattack, a smart, well-developed, and adaptable cybersecurity plan—one that includes finding a hosting provider with adequate security options—is no longer optional for businesses looking to keep their websites and customer data secure.
How Safe Is Your Website?
Hundreds of thousands of websites with the two most common content management systems are attacked each year. We’ve taken a look at just how common these attacks are, what causes them, and how to prevent them from going after your site.
634,000,000 websites reported across the globe – Dec 2012.
- 10% of sites pwoered by WordPress
- 4.7% of sites powered by Joomla!
- 48% of the top 100 blobs use WordPress.
Nearly 25,000 WordPress plugins are available with more than 450 million downloads.
From 2010 to 2012, web malware grew about 140%.
Nearly 200,000 phishing attacks globally in the first half of 2012, totaling a loss of $687 million – a 19% increase from 2011.
- April 2013
- 90,000 IP addresses with WordPress and Joomla! sites
- Cause: Weak usernames and passwords
- “Pay Day Loan” spam links were injected into the popular WordPress social media widget plugin (social-media-widget) with 900,000 downloads
- Cause: The plugin was sold and the new owners decided to use their bi audience and inject spam on all the sites using the plugin. This has also happened on Joomla! sites
- Dec 2012
- WordPress and Joomla! websites were the victims of search engine poisoning (SEP) attacks
- Cause: One theory was GoDaddy hosting, another was outdated versions of the platforms. Securi indentified two different variants of the attack
- Sept 2012
- First U.S. bank websites, then a number of other PHP web applications, such as Joomla! and many WordPress sites
- Cause: An outdated version of the timthumb plugin (a popular PHP-based image resizer.) The hack resulted in multiple false posts to it’s website, including a fake interview with a syrian rebel army leader
- Aug 2012
- Thomson Reuters
- Cause: An outdated version of WordPress (running on 3.1.1 instead of the then current 3.4.1)
- March 2012
- Over 30,000 ExpressionEngine, Joomla!, and WordPress websites were hit by a mass injection attack aimed to spread fake antivirus software
- Cause: Weak FTP credentials
Most Common Types of Attacks on WordPress and Joomla! Sites
- Attacked bypass normal authentication to gain remote access to your environment via abnormal methods such as FTP, SFTP & WP-Admin.
- Drive-by Downloads
- Malware is embedded on your website via some type of script injection. Common causes are outdated software, compromised credentials, and SQL injection.
- Pharma Hacks
- More of a spam menace than malware. These are even more dangerous because they’re visible foremost to search engines only. If affected, your website may be tagged by Google as “compromised.”
- Malicious Redirects
- Redirects the user to a different website and can impact both your primary domain, as well as the sub-domains.
Most Common Problems
- Cheap hosting
- Badly coded third-party extensions
- Poor or weak passwords and administrator credentials
- Out of date core files, platforms, plugins, and extensions
Solutions and Best Practices for Security
- Stay educated
- Use a secure host
- Use a scanner such as Securi’s sitecheck (which is free) to check for infections. Theme and plugin checks are also available
- Sign up for Google webmaster tools and verify your website
- Use very strong passwords
- Take inventory of PHP extensions, keep them up-to-date
- Log network traffic to reveal inbound PHP requests that expose would-be attackers probing for such applications
- Back up your site
- Update your site (don’t ignore the WordPress message urging you to update to the latest version!)
- Install plugins that limit the number of login attempts from the same IP address or network (and keep them updated)
- Turn on two-factor authentication to add an extra layer of security
- Use the latest security update
- Use a SEF component that makes your site more secure. A default Joomla URL tells the viewer a lot about the page visited; that it is a Joomla! page and what components are used. A SEF component masks that information and makes it harder for a hacker to find security vulnerabilities
- Write-protect your configuration file (make unwriteable). The file is called “Configuration.php” and is located in the root folder of your domain
- Delete unused templates
- Change file permissions to restrict editing or overwriting
Keep up-to-date and stay secure!