We recently were one of over 100,000 websites affected by malware (Malicious Software) that infiltrated our family of websites and added us to the 11,000 websites that were blacklisted by Google. We’re in the clear, now, but it was a rough weekend.
How did this happen?
Our websites are designed using WordPress, a very popular CMS (Content Management System). You can enhance the user experience by installing plugins. A plugin that we use for the image sliders you see on the homepage was exploited by nefarious individuals, hoping to infect as many computers as they could with malware.
Why did this happen?
Very good question. The image slider we use is a very popular and trusted plugin (over 100,000 other sites were potentially affected because they use the same plugin). The popularity of the plugin is likely why it was chosen as the delivery mechanism for the malware. This is a situation that anyone could have fallen victim to.
How was it fixed?
Fortunately, the infection was well publicized (as are most high profile attacks), we were hit Sunday afternoon, and by Monday morning the solution to the security issue had been posted online. At that point, it was a matter of deleting the dangerous bits of code that had been planted in our website installations.
What steps can be taken to prevent this from happening again?
It’s pretty well understood that everyone should be using strong passwords and not using the same password on multiple sites. Even though this attack wasn’t due to password hacking, we changed all user passwords. We’ve invested in malware detection software. We’ve also instituted a more rigorous vetting policy for plugins or software we install on our network.
How can I protect my website from similar attacks?
Even taking every precaution possible doesn’t guarantee you’ll be 100% safe. That being said, we learned the hard way and would recommend you do the following.
Use strong passwords – Use a password generator that uses a mix of uppercase, symbols, and alphanumeric characters. Make them as long as you can, 15 character’s in length or longer.
Limit access – The fewer people who have access, the stronger your website. Limit how many people, and who, have access to login.
Check your hosting provider – Many hosting providers offer free or discounted site security solutions. Normally this is software that scans your databases for infections.
Research plugins – Make sure to read reviews and make sure the plugin is reliable and safe.
Stay informed – Read the official WordPress blog for known security issues and add tech blogs into your web-surfing routine.
Web security is more important than ever today. It seems like every day another large corporation is hacked, compromising thousands of people’s personal information. Take a moment and review the security of your website now, before you’re a statistic.
TKO Tech Talk is a column written by Eric Benge, who has over 10 years experience in the design and print industries. Technology changes rapidly, the advice or information included in these articles is considered accurate and helpful as of the date they are posted online. If you have any questions, technology related or otherwise, please contact us.