The bloody battle of website defacement: ‘ISIS’ hackers vs. WordPress

Police and FBI are investigating defacement attacks on numerous North American websites in which attackers placed an ISIS flag banner on website home pages and played an Arabic song in the background, as reported by NBC News

The sites appear to have one thing in common: they are all built on the WordPress content management platform.

WordPress is by far the most popular CMS. As of February 2015 over 23% of the websites in the world are built on WordPress. WordPress is an open source platform that offers thousands of third-party plugins, causing it to be extremely vulnerable, with hundreds of thousands of web-based attacks executed every year.

In 2014 a bug in MailPoet, a WordPress mail plugin, resulted in 50,000 sites being hacked by injecting a PHP backdoor.  SoakSoak, one of the most publicized WordPress attacks in 2014, took advantage of a bug in a popular slider plugin and as a result over 100,000 sites were hacked. More recently, Slimstat, an analytics plugin, was found to be vulnerable to attacks exposing over 1M WordPress websites.

According to NBC, the alleged ISIS attacks were made by mainstream hackers who used the ISIS names to gain attention. They executed a defacement attack, in which hackers change the appearance of a web page.

Defacement is executed via a Web-based attack such as a SQL injection, which introduces malware to change the site’s its appearance or by malware introduced from inside the network; for example:  an employee distributing it from a flash drive. The malware then scans the internal network for Web servers and once found, it changes their IP to the attacker’s server IP, directing visitors to the attacker’s servers.

Eliminating Defacement in WordPress sites

Eliminating defacement attacks on a WordPress site is extremely difficult because of the vulnerable nature of the platform. Administrators should continuously check for the appearance of unknown files and directories and monitor them for changes. 

Patching: the most conventional and straightforward approach is patching. WordPress and its plugin providers issue patches that fix security bugs once they’re discovered. Security administrators and website administrators should keep WordPress and its plugins always updated to the latest versions.

However, patching does not guarantee security because it cannot protect against zero-day attacks. Both SoakSoak and the MailPoet attacks are undocumented, zero-day exploits. These vulnerabilities were unknown prior to the event, and the plugin providers were obviously not prepared with a patch. Once a zero-day vulnerability is discovered, security managers and website owners are exposed to attacks until a patch is, hopefully, provided.

Read-only Web Server Account: Web administrators can reduce the risk of defacement by limiting the web server account to read-only permissions.

Using Security Solutions

Using best practices may eliminate SQL injections, but they will not prevent other exploits such as unhardened web servers allowing hackers to access WordPress administrator permissions.

Security solutions offer the most comprehensive and advanced options for eliminating zero-day defacement attack. They monitor web pages for changes and generate alerts at any sign of potential defacement. Some of their features are: