Disable This Function NOW, Or Be Held To Ransom

Did you know that you can post to your WordPress website remotely via your portable devices? 

Did you know that this function is highly vulnerable? If you don’t use this application, then ensure that the persons responsible for looking after your website disable or removes this function immediately. 

Over the past few weeks, 35% of the world’s websites (currently approximately 455 MILLION Websites) have been updated to a new revised edition of the supporting WordPress Website and upgraded to the latest PHP version (the internal structure code). 

A substantial amount of website owners and developers still have not yet updated their websites, systems or plugins. 

This vulnerability is rapidly being exploited by those who practise the dark art of computer hacking and undertaking brute force attacks on unsuspecting website owners such as you. They intend to prevent access to your site through denial of service and charge a ransom of $200 upwards to release the site. 

Now, wouldn’t that be embarrassing if it happened to you? Before you say it won’t happen to you, be aware that YOU are precisely the right target they are looking for, The Unaware.

Although a ransom of $200 is relatively low, the cost of losing trade and reputation is much higher. You may be held liable, especially if your customers are directly targeted and incur a loss because you failed to take appropriate preventative action.

What’re the chances of it happening to me?

The chance of an attack happening to you is relatively high, especially if you have a WordPress website which has little or no security, poorly maintained or hosted on the cheapest provider you could find, here’s an insight into how prolific this hack is at the moment, 

• In the last 30 days, attacks have increased from 90million per day to over 170 million per day globally. 

• Over the previous seven days on my website alone, I have been targeted eleven times, from bedroom hackers in all four corners of the globe; Germany, USA, Japan, Italy, using this simple method. 

Unfortunately for the bedroom hackers, I am security conscious and aware of such activities and take proactive, preventative action to keep unwanted visitors out. 

Note: This is not an open invitation to test or challenge my site as ALL websites regardless of systems in place can be hacked, as ‘NordVPN’ are well aware. Where there’s a will, there is a way. 

Managed service providers should provide essential basic security as a standard, and not as an optional extra. 

What steps can I take?

Prevention is much better than cure that’s for sure, follow these simple steps to configure your system;

1. Upgrade to the latest WordPress and PHP version.
2. Update your plugins, themes and languages.
3. Ensure you have an SSL Certificate on your site, look for the padlock next to your domain in the search bar. 
4. Ensure you are using a decent firewall and security system. My recommendation is WordFence, a great all-rounder. The freemium version is excellent and will serve most customers well. Those who want top-notch security can subscribe to the premium version. 
5. Hide the WordPress default Admin Panel login URL
6. Enforce 2FA (two-factor authentication), also enforce 2FA on xml-rpc (remote application for posting from a mobile device).
7. Disable xml-rpc if remote posting function is not in use.
8. Create regular backups.
9. If in doubt, call your managed service provider, or give me a shout.

The above steps will keep all but the absolute determined out of your site. For those with managed services such as those offered by Twisted Spire, then all of the above should come as standard with your monthly hosting fee. 

What steps to take if you are compromised

Suppose you are unfortunate enough to have been affected. In that case, it is your responsibility to take steps to stop the spread of infection. And its a bit more than ‘Stay Safe. Wash Hands. Stay 2m Apart”.

1. Get help, contact your managed service or host provider. 
2. Inform any clients who might be affected. Your customers may be targeted through phishing attacks by the hackers pretending to be you.
3. Report the cybersecurity incident to the police and Action Fraud online or by telephone 0300 123 2040
4. Under the General Data Protection Regulation (GDPR) rules, it is mandatory that you also report data breaches to the Information Commissioners Office (ICO) within 72 hours. 

IF you get your site back

Any proficient hacker who has managed to gain entry to your site will almost certainly leave open another means of entry, allowing them to regain access to your site by a different route from which they entered. 

1. Re-install from a backup
2. Change passwords and enforce 2FA
3. Update all settings
4. Take proactive and preventative steps to stop repeat performances. 
5. Scan your website for vulnerabilities and malware.
6. Close all known vulnerabilities.
7. Consider using Cloudflare, a content delivery network.
8. Use Sucuri, excellent for cleaning up AFTER a site has been hacked.
9. Create a new backup

Summary

Denial of Service attacks are becoming more frequent and can cause you irreparable damage.

Prevention is better than cure. It must be stressed that it is impossible to completely 100% protect yourself from DDoS attacks as you have little control over who comes to your website. Still, you can take preventative action by taking the above steps, improving your site security and avoiding cheap hosting where the service is low, and the client base is high. If you are prepared for a DDoS attack, then when - not if - occurs, you will be much less likely to suffer.

If you enjoyed this article and found it useful, then you will love the WordPress managed hosting service from Twisted Spire, where security comes as standard, not an optional extra. Connect on LinkedIn with TwistedSpire.