WordPress installs can be hacked before you even get a chance to use them.
As a web designer and developer, I try to be aware of current issues that affect my clients. So when I saw the latest WordPress attack from Defcon this year, it was a wake up call. I knew it was time to sit up and pay attention. Website administrators don’t always include security as part of their job. Some developers either trust their security to third parties, or ignore the issue altogether. When ignored, however, security can become a much bigger problem than you might expect.
How did my site get hacked so quickly?
Mark Maunder over at WordFence has a great blog post on this new attack, titled “Hackers Find Fresh WordPress Sites Within 30 Minutes“. In short, attackers have found a new and exciting way to break in to new WordPress sites. These attackers profit from the fact that many new web hosting packages include SSL certificates, and that certificate records are public. This creates a steady stream of information, helping attackers find fresh WordPress installs to target. Through manipulation of the default WordPress installation process, they can breach your new website before you even get a chance to use it.
Different attackers want different things from your website. Some are out to destroy and deface your website as soon as it goes up, for kicks and giggles. Others are more interested in holding your site for ransom. E-commerce and medical websites are especially at risk, because of the highly sensitive information they handle. A skilled attacker can wait silently, collecting credit card information, social security numbers, patient records, and other valuable data. They can then sell that information on the black market, leaving you holding the bag.
This is awful! What do I do?
First of all, don’t panic! If you have a WordPress site, I recommend starting with free tools like GravityScan and WordFence. GravityScan will scan your site for malicious code and vulnerabilities. WordFence is a plugin which, among other features, monitors your website for any suspicious activity. Your site should also have an SSL certificate installed. In addition to helping to protect your site against third-party snooping, having an SSL certificate improves your search ranking! You can get a free SSL certificate from Let’s Encrypt.
If you’re setting up a new WordPress install, follow the instructions Mark has laid out in his blog post. If you get stuck, go ahead and contact your hosting provider. It’s their job to help you handle back-end tasks that you may not be familiar with (for example, if you don’t have shell access).
Security is complicated. I don’t want to deal with all this.
Unfortunately, dealing with security is part of dealing with technology. You can’t have one without the other. Yes, security can be a challenging issue, and keeping up with security is a lot of work. It requires the dedication to constantly learn new things, and to keep your knowledge and understanding up to date. Take heart: you’re not alone in this battle. There are tons of great resources out there to help you learn about information security; Bruce Schneier, Brian Krebs, and Threatpost all have excellent sites full of useful information.
And hey — if you get overwhelmed or frustrated, reach out to us. We’re here to help.