Most people assume that if their website has been compromised, there must have been an attacker evaluating their site and looking for a specific vulnerability to hack.
Under most circumstances however, bad actors don’t manually hand-pick websites to attack since it’s a tedious and time consuming process. Instead, they rely on automation to identify vulnerable websites and execute their attacks. The unfortunate reality is that websites big or small are targeted daily and the majority of these attacks are automated.
Automation is popular with bad actors for a number of reasons:
- It’s easier to compromise many sites rapidly rather than on an individual basis, which allows for mass exposure.
- Overhead is reduced when you can identify vulnerable websites and execute a compromise simultaneously.
- Odds of success increased when you can communicate quickly between the host and the attacker.
- Tools are readily available, making it an accessible method for inexperienced users.
To help small website owners mitigate the risk of a compromise through automated attacks, I have outlined a couple of techniques below.
Patch Outdated Software
Most attacks are performed by bots that scrape lists of websites and check for a range of common vulnerabilities that can be easily exploited. The majority of these attempts are for vulnerabilities that have already been disclosed and made public but the users have not updated their software fast enough.
A good example of this is the RevSlider plugin vulnerability from 2014. Even today, it’s still commonly exploited by attackers, but users are either not aware of it and don’t update the plugin, or the RevSlider components are included with the theme so users have to update the theme, which causes problems.
Many themes (even premium ones like Newspaper and Newsmag) have been abandoned long ago; their authors no longer update them, which makes patching vulnerabilities impossible unless the owner of the website is willing to hire a developer. Some of the premium themes get updated, often the user has to buy the new version or patch the one they have – which might not be as simple as updating it via the WordPress dashboard.
The issue is not just exclusive to WordPress, the same goes for other content management systems too. Joomla has quite a few vulnerabilities, making it harder for users to upgrade.
Our remediation team often sees websites that have been compromised because their Joomla CMS is very outdated.
In many instances, we even see Joomla websites running outdated JCE components which have been known to be vulnerable for a few years. Unfortunately, website owners are still not aware of the vulnerability and don’t update their CMS, leading to exploits and compromised websites.
Protect the Backend
Protecting your administrator interface from brute force attacks can be pretty simple and can help deter automated attacks.
A good solution would be to add multifactor authentication (such as 2FA) to your admin area to prevent bots from trying to guess the username and password. This solution will add another authentication method that only the user who is trying to access the admin area possesses, such as a cellphone that will receive the token to conclude the authentication.
There are other methods to add protection to the site’s backend that may not be as user friendly as a plugin, but can also increase security such as:
- Setting up a hidden token on protected pages, which can be as simple as a hidden field that users do not see but bots would. When the bot attempts to fill the field, this can then be used to identify this request as coming from an unsolicited bot.
- Configuring an .htaccess file to allow only a list of IP addresses (pretty hard to maintain if your IP address changes too often)
- Using an htpasswd file along with the .htaccess to add another authentication layer to the admin page: http://httpd.apache.org/docs/current/howto/auth.html (this doesn’t count as 2FA since the password is not something that the user possesses)
Joomla 3 has already integrated a 2FA on the CMS, but needs to be setup. You can see how to do that and enable it on the forms you need from their documentation: https://docs.joomla.org/J3.x:Two_Factor_Authentication
It doesn’t matter if you have a small blog or a large website with thousands of visitors. If you have outdated software, your website will be crawled by one of those malicious bots at some point.
Once that happens, the impact to your website can be detrimental. Your website may be put on a list of websites that have been flagged as vulnerable and compromised.
In most cases, the same bot that flagged your website, will be able to exploit the vulnerability, upload malware using the security hole, and report back to the attacker. Doing this allows the bot to further exploit the site, upload phishing, or use it in their spam campaign – none of which are good for your website or your visitors.
Soon after a website has been compromised by an automated attack, Google and other search engines will crawl it and (in most cases) detect there is malware. This can lead to blacklisting, negative impacts to your traffic, and poor rankings.
Password Management
Using insecure or simple passwords for your administrator interface, FTP, or control panel can also lead to your website being compromised.
I would highly recommend using a password manager that can generate a strong password for you. The password manager should keep your passwords encrypted, complex, and unique. There is no need to remember them. You just need to know the password for your password manager in order to access the others.
A number of popular password managers exist, but I recommend using KeePass as it’s a free, open source that works on a large variety of platforms and doesn’t store your data in the cloud.
I have included another article that can help you further secure your WordPress installation:
https://blog.sucuri.net/2012/06/how-to-stop-the-hacker-by-hardening-wordpress.html
Conclusion
Just because a website is small and has less traffic (ie: visitors), doesn’t mean that bots won’t find it and exploit it. My recommendation is to keep all software up to date, harden your content management system, and use a password manager to generate long and complex passwords for your website. There is no need to share passwords since they are all stored in the password manager anyhow.
Patching is not always easy or possible, especially in recent years. Attackers are moving faster. Once an exploit has been made public, it only takes them a couple of days before their bots start crawling the internet looking for vulnerable websites.
If you’re searching for an easy security solution, the Sucuri Firewall can virtually patch your website, allowing you time to update your website. As long as you are behind the firewall, you won’t have to worry if you’re protected or have patched your website fast enough. We always recommend using a WAF as an additional layer of protection on your website.