Most people assume that if their website has been compromised, there must have been an attacker evaluating their site and looking for a specific vulnerability to hack. Under most circumstances however, bad actors don’t manually hand-pick websites to attack since it’s a tedious and time consuming process. Instead, they rely on automation to identify vulnerable websites and execute their attacks. The unfortunate reality is that websites big or small are targeted daily and the majority of these attacks are automated.
Automation is popular with bad actors for a number of reasons:
- It’s easier to compromise many sites rapidly rather than on an individual basis, which allows for mass exposure.
- Overhead is reduced when you can identify vulnerable websites and execute a compromise simultaneously.
- Odds of success increased when you can communicate quickly between the host and the attacker.
- Tools are readily available, making it an accessible method for inexperienced users.
To help small website owners mitigate the risk of a compromise through automated attacks, I have outlined a couple of techniques below.
Patch Outdated Software
Most attacks are performed by bots that scrape lists of websites and check for a range of common vulnerabilities that can be easily exploited. The majority of these attempts are for vulnerabilities that have already been disclosed and made public but the users have not updated their software fast enough.
A good example of this is the RevSlider plugin vulnerability from 2014. Even today, it’s still commonly exploited by attackers, but users are either not aware of it and don’t update the plugin, or the RevSlider components are included with the theme so users have to update the theme, which causes problems.
Many themes (even premium ones like Newspaper and Newsmag) have been abandoned long ago; their authors no longer update them, which makes patching vulnerabilities impossible unless the owner of the website is willing to hire a developer. Some of the premium themes get updated, often the user has to buy the new version or patch the one they have – which might not be as simple as updating it via the WordPress dashboard.
The issue is not just exclusive to WordPress, the same goes for other content management systems too. Joomla has quite a few vulnerabilities, making it harder for users to upgrade. Our remediation team often sees websites that have been compromised because their Joomla CMS is very outdated. In many instances, we even see Joomla websites running outdated JCE components which have been known to be vulnerable for a few years. Unfortunately, website owners are still not aware of the vulnerability and don’t update their CMS, leading to exploits and compromised websites.
Protect the Backend
Protecting your administrator interface from brute force attacks can be pretty simple and can also help deter automated attacks. One solution is to add CAPTCHA to prevent bots from trying to guess the username and password. This solution can also require a challenge to be solved before permitting logins to your website, making it more difficult for unwelcome bots to access your website.
I have also seen some sites utilize a hidden token on protected pages, which can be as simple as a field that is hidden from users but easily found by bots. When the bot attempts to fill the field, this information is used to identify the coming from an unsolicited source.
WordPress has quite a few plugins that can help protect your website with captcha and other security features. Here are a couple of recommendations for plugins that can be used to add captcha to your website:
Joomla 3 has captcha already integrated, however, it has to be set up. You can learn how to do that and enable it on the forms you need from their documentation: https://docs.joomla.org/J3.x:Google_ReCaptcha
If you would rather not use captcha, you could set up an additional password protection for your wp-admin or administrator directory via the Apache authentication and authorization controls.
It doesn’t matter if you have a small blog or a large website with thousands of visitors. If you have outdated software, your website will be crawled by one of those malicious bots at some point. Once that happens, the impact to your website can be detrimental. Your website may be put on a list of websites that have been flagged as vulnerable and compromised.
In most cases, the same bot that flagged your website, will be able to exploit the vulnerability, upload malware using the security hole, and report back to the attacker. Doing this allows the bot to further exploit the site, upload phishing, or use it in their spam campaign – none of which are good for your website or your visitors. Soon after a website has been compromised by an automated attack, Google and other search engines will crawl it and (in most cases) detect there is malware. This can lead to blacklisting, negative impacts to your traffic, and poor rankings.
Using insecure or simple passwords for your administrator interface, FTP, or control panel can also lead to your website being compromised.
I would highly recommend using a password manager that can generate a strong password for you. The password manager should keep your passwords encrypted, complex, and unique. There is no need to remember them. You just need to know the password for your password manager in order to access the others.
A number of popular password managers exist, but I recommend using KeePass as it’s a free, open source that works on a large variety of platforms and doesn’t store your data in the cloud.
Additional Techniques to Secure Your Website
You can also secure your site by changing the prefix on your database. This is possible in both WordPress and Joomla. The benefit is that malware might not be able to work correctly if your database tables are using a different prefix.
Here is how you can change the database prefix in Joomla: http://forum.joomla.org/viewtopic.php?t=912669
Our friends at WPBeginner also have a great tutorial on how to do that with WordPress: http://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prefix-to-improve-security/
Just because a website is small and has less traffic (ie: visitors), doesn’t mean that bots won’t find it and exploit it. My recommendation is to keep all software up to date, harden your content management system, and use a password manager to generate long and complex passwords for your website. There is no need to share passwords since they are all stored in the password manager anyhow.
Patching is not always easy or possible, especially in recent years. Attackers are moving faster. Once an exploit has been made public, it only takes them a couple of days before their bots start crawling the internet looking for vulnerable websites.
If you’re searching for an easy security solution, the Sucuri Firewall can virtually patch your website, allowing you time to update your website. As long as you are behind the firewall, you won’t have to worry if you’re protected or have patched your website fast enough. We always recommend using a WAF as an additional layer of protection on your website.
*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Krasimir Konov. Read the original post at: https://blog.sucuri.net/2018/06/why-you-should-care-about-website-security-on-your-small-site.html