If you run a WordPress site, you know that criminals around the world would love to use it to spread malware.
Last month, F-Secure Labs spike in “Flash redirectors” that automatically redirect the visitor to a site with the goal of infecting them with malware, in this case the Angler exploit kit. The source was compromised websites — specifically WordPress sites.
This isn’t a new find for the Labs but what is unique is one of the tactics of the attack — seeking out Wordpress usernames.
“After obtaining the username, the only thing that the attacker would need to figure out is the password,” Patricia from The Labs explains. “The tool used by the attacker attempted around 1200 passwords before it was able to successfully login.”
If you happen to have one of those passwords, bam. You site is serving up malware, which is not only harmful to your visitors, it can cost you tons of traffic as Google delists you.
Keeping your server and plugins up to date is essential for avoiding most attacks. Beyond that, this attack points to the need to both protect your WordPress username AND always use a unique, strong password.
“Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything,” Patricia notes.
You can also protect your server from enumeration attacks that discover the usernames of your bloggers. To see how to do that, visit our News from the Labs blog.
It’s pretty amazing what people can figure out about you with just your login and password. But when you’re running a website, which can be part or all of your livelihood, the only way to keep from handing criminals the key to your front door is to make sure your password can’t be figured out by anyone but you. And turn on two-step authentication if you haven’t already.
The absence of regulation is what has resulted in the innovation of software we see today.…
September 13, 2017