It’s being reported by Malwarebytes’ CyberheistNews and other sources that a unexpectedly large wave of hacking has been hitting thousands of WordPress sites (described as the “Weird WordPress Hack” just to fit in with the Buzzfeed style of headlines). The attacks are described as:
"WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit."
The Nuclear Exploit Kit, which is a very sophisticated mechanism for analyzing and interacting with browsers and delivering malware, is used to spread Cryptowall ransomware which, as website owner, is something you don’t want to be handing out or, as a user of an infected website, you don’t want to contract.
At this point I need to include the mandatory rules for dealing with ransomware:
- Make sure you have backups
- Make sure that your backups can be restored
- Do not deal with ransomers or pay a ransom
- Report the ransom attempt to the FBI’s Internet Crime Complaint Center (IC3)
- Find out how you got infected then plug the hole
- Update your network security plan
I must note that last year an FBI spokesperson did, in fact, say the following about Cryptowall:
The ransomware is that good... To be honest, we often advise people just to pay the ransom.
This is terrible advice both from a practical viewpoint (you might not get your data decrypted even though you pay) and an ethical one (paying ramsoms encourages more taking of hostages). Nope, there's no excuse for not being able to recover your files from backup and ignore the ransom demands. But I digress ...
Nowadays WordPress has become extremely vulnerable to hacking because it's open source and therefore really well-understood, runs something like 30 percent of all websites, and, given the huge range of third party additions (themes, plugins, etc.), ensuring any given installation is hacker-proof is pretty difficult. "Ah!" you might be muttering, "surely keeping WordPress and your plugins up to date is the answer?" Well, my friend, you might like to think so but it seems this latest wave of hacking WordPress may involve one or more zero day vulnerabilities. The scale and complexity of the WordPress ecosystem makes for what's called a large attack surface.
I run a number of WordPress-powered websites and on one of them I recently enabled the notification by email feature of a plugin called 404 to 301. This plugin redirects 404 errors generated by requests for non-existent content by changing them to 301, 302, 307 server-side redirects. I hadn’t bothered enabling the email notifications before because when I tried for a month a couple of years ago the plugin hadn’t generated any alerts. But when I recently enabled notifications I was surprised to see waves of requests for all sorts of content that a hacker might look for such as
/wp-includes/SimplePie/Net/IPv7.php. These may all be potential vulnerabilities and the requests have come mainly from Germany, the Netherlands, and Russia but this particular site is defended by WordFence (which I wrote about almost a year ago) and, so far, so good; we’ve remained uncompromised.
By the way, if you’re looking for a backup solution your WordPress site consider the UpDraft plugin which can use a whole range of storage destinations including S3, Dropbox, Google Drive, Rackspace, FTP, SFTP, WebDav, and email and backup either either manually or automatically. It can also duplicate and migrate sites, and twice since having installed UpDraft, it has saved my bacon. And for added security you might consider installing Plugin Vulnerabilities which checks your installed plugins against a list of plugins with known security issues and warns you when new issues appear.
But given the risks of getting hacked, which range from site defacement, through the theft of sensitive data, to becoming a source of malware to your visitors, you have to ask yourself if you still afford the time and effort to effectively secure your site and, even more importantly, if sensitive data could be exposed, can you afford the risk of remediation and possible litigation? Note that cyber-insurance, which sounds like a good hedge against disaster, may not work unless you can prove that you have exercised “due care,” something that may be tricky given the issues involved.
For WordPress sites you can create a local or otherwise secured version of your site (i.e. not publicly accessible) and then save it as static HTML files and upload those to your public site. This may or may not work depending on all sorts of factors but definitely worth trying for sites without dynamic content that depends on backend services at runtime (see Creating a static copy of a dynamic website which discusses the gotchas involved); it will also make your site much faster!
There are also plugins for automatically creating static content from WordPress installations such as Really Static and Simply Static that may be useful (I have to note I haven’t tried either so if you have any thoughts on what works and what doesn’t, please let me know).
I’ve also been looking at a few interesting alternatives that skip the whole WordPress aspect and generate flat content from templates. If you haven’t taken a look at Jekyll and Cactus (the latter is for OS X only) and you’re starting a new Web project, these are approaches definitely worth considering. For more tools options, check out StaticGen, a great curated list of static site generators.