Looking after a WordPress website is about more than just finding somewhere to host it. Like a car, a website needs to be maintained and cared for if you want it to keep running. But what does that involve, exactly?
Have you updated your WordPress website yet? If not you need to do it now.
Last week a new version was launched – we’re now on WordPress 3.5.2 – and it’s a maintenance and security release. This version is plugging seven security holes that exist in all previous versions of WordPress, so this is not an update you can ignore.[caption id="attachment_543" align="alignright" width="405"] WordPress logo[/caption]
It’s also making other security improvements to keep ahead of the hackers who like to try and take over your WordPress website, bring it down or the other things hackers do.
Why do I have to update WordPress?
Here at Moghill Towers we’re often going on about how if you have WordPress you must keep its software up to date – not just the core WordPress software but also any plug-ins you are using for extra things like forms or online shops.
Why? Because of the sheer number of business websites we see who are using out of date (and therefore vulnerable) versions of WordPress. Not just WordPress but another piece of free software that is often left to go out of date and become vulnerable: Joomla.
And why is this happening? It’s usually not the fault of the business concerned, more that the business has been badly advised by whoever built their website.
Some website companies are happy to just sell businesses a website on a free software platform like WordPress without warning them that it needs to be maintained. Some web designers don’t even realise that updates are necessary.
But that’s like buying a car you never have to service: It would be a nice idea but it doesn’t really happen in the real world.
WordPress in particular is the most popular software for building websites in the world. It’s free at the point of use, can be extended to do whatever you want it to and made to look however you want it to.
We make no secret that we love WordPress and what it can do. We even like its cousin Joomla, too, which is also free but not as versatile.
But with that popularity means it’s attractive to hackers, and that means you must keep it up to date. Only in April there was a massive automated attack on WordPress websites around the world. If you were clued up on your security you were okay, but many sites fell victim.
The end result of not updating WordPress is your company website gets hacked, and if even if the reputation of your business is not damaged, you have to spend a lot of time restoring what you had, or re-building it completely.
And don’t think it doesn’t happen – in the last few weeks alone we have helped a couple of companies update and secure vulnerable web software that had been hacked.
That’s why we’ve taken it upon ourselves to spread the word and raise awareness of the problem.
Let us help with Your WordPress site
We keep the website software of all our customers up to date – WordPress and plug ins in particular – as part of our managed hosting package. Our sites were updated to WordPress 3.5.2 this morning.
We also offer a service where we can bring your WordPress software up to date for you if you don’t host your site with us – and we can also update Joomla websites to the latest version.
If you need help with updating your WordPress site then contact us for a chat.
As I write this, hosting companies all over the World are fighting off a huge attack on WordPress websites that has been going on for at least 24 hours.
Our sites were hit for about 20 minutes yesterday afternoon, but thankfully our hosting company has a solution so all our customer websites have been safe today.
How are the attacks happening?
Basically, the attacks are being conducted by an army of computers infected by a virus, known as a botnet.
They are simultaneously hitting thousands of WordPress login pages and trying to guess the password to get into the sites.
It also is cycling through various obvious usernames but most of all trying the default ‘admin’ username.[caption id="attachment_1176" align="alignright" width="375"] Is Hacker Barbie responsible for the attacks?[/caption]
This is called a brute force login attack, and an estimated 90,000 IP addresses are involved.
What they will do if and when they actually get in to websites is not known, but we’d expect the usual nasty surprises you get with a hacked WordPress site.
But a by product is this attack is slowing down websites all over the world, whether or not they use WordPress, as most websites are on shared hosting, and as the most popular content management system in the world, most websites are bound to be sharing a server with WordPress sites.
The repeated attacks basically cause everything to slow down.
If you are one of our customers and you want to get into the back end of your site you may see a password prompt screen you have not seen before.
This is an extra layer of security placed by our hosting company.
The box says: “A username and password are being requested by http://www.your-site.co.uk. The site says: “Automatic Protection” It now gives the username and password you need.
For current status visit our system status page. Once you have entered these details you can log in as you normally would.
If you have access to the admin area of your site make sure you have a secure password.
Minimum password recommendations:
- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers and special characters, such as punctuation or other non-alphanumeric characters
Example weak password:
Improved strong password:
In the meantime we are watching the situation closely and will implement any suggested security improvements across our customer websites as part of our normal service.
Is Wordpress not secure?
WordPress is fine but this attack tries to exploit the weakest link in any security system: The human factor.
If your site has secure username and password then it will not fall victim to this attack. We never use the default ‘admin’ account in WordPress, and delete it where we come across it in WordPress installs done by anyone else.
The rest is down to our hosting company who have added the extra layer of security to prevent unauthorised access to the login pages in the first place and making sure all our sites stay live.
WordPress is popular, and therefore it is a target for attacks like this. That’s why it is vitally important that you keep your Wordpress version and any plugins up to date.
The problem is not confined to WordPress as there are literally millions of Joomla websites on out of date versions that are just waiting to be hacked, too.
Silicon Republic: Major brute force attack against WordPress Under Way (Note: The Limit Login plugin suggested will not prevent these attacks because they come from multiple IP addresses).
Matt Mullenweg (WordPress co-founder): Passwords and brute force
Joomla is one of the most popular free content management systems in the world – but it has its drawbacks as a lot of people with Joomla sites are finding out right now in the cruellest way.
Thousands of owners of Joomla websites are waking up each day to find that their site has been taken down by their hosting companies, or replaced with what’s called a bragging message.[caption id="attachment_1035" align="alignright" width="450"] This charming fella is what hackers are placing over the homepage on vulnerable Joomla 1.5 sites. If you’re really unlucky you get music, too.[/caption]
Typically it’s this:
Hackeado por HighTech Brazil HackTeam
NoOne – CrazyDuck – Otrasher – L34NDR0
But if you’re really unlucky you get the nasty character in the picture and some hard rock tunes, or the clown who appears further down the page.
Here’s a report on the start of the hacking attack in early January, although it’s still going strong now.
So why are Joomla sites getting hacked?
The main reason why hackers are attacking Joomla sites is because they can. Where there is a vulnerability they will exploit it.
The current hacks seem to be coming from one group claiming an affiliation with Lulzec, who usually attack big business websites.
But practically anyone can hack a Joomla site: There are plenty of videos giving full instructions on YouTube.
The attacks are mainly confined to sites in the early versions of Joomla – 1.0 and 1.5 and later versions – 2.5 and 3.0 – appear unaffected. Two experimental versions, Joomla 1.6 and 1.7, are also vulnerable.
Joomla is created by a community of developers who work together to create this system, but from the end of last year that community stopped supporting the early versions and urged site owners to upgrade.
The problem is it’s hard to upgrade. Wordpress can (usually) be upgraded with a click of a button and the same is true of later versions of Joomla – but not the early versions. It involves a migration, which can be a long and involved (and geeky) process.
Essentially it means building the site all over again.[caption id="attachment_1036" align="alignright" width="450"] Another example of a hacked Joomla site.[/caption]
And to make things worse, many web companies have been knocking out cheap Joomla websites for years with no provision for upgrading when the software is no longer supported.
Not just that, we know of several companies who were still building sites in Joomla 1.5 last year, when they should have been aware that support for the software would soon end.
These factors mean many site owners are sticking with their old versions of Joomla – and these are the ones who are getting hacked.
How is it happening?
At present the hackers are seeming to target one particular Joomla add on (or extension) called JCE editor, which is present in most Joomla installs as standard. The security hole was sealed last year but the problem is that early versions of Joomla do not warn you about out of date extensions.
So if you have Joomla 1.0 or 1.5 and JCE installed, check you have the latest version. You can download the latest version of JCE Editor here.
Ashamed to say it, but we were caught out by this when one of our Joomla 1.5 websites was hacked in this way a few weeks ago. It took a whole day to clean the site up and get it live again, then close the security hole.[caption id="attachment_1037" align="alignright" width="200"] Joomla Logo[/caption]
Thankfully it was not a customer site and we closed the same hole in all our other Joomla 1.5 sites and began migrating them so it does not happen to us again.
By the end of March we will not have any sites left in Joomla 1.5.
Why? Because this is likely to be the tip of the iceberg and more hacking attacks will come as more security holes are discovered.
The Joomla community no longer supports early versions so nothing will be done to stop the security holes. It’s called End of Life for a reason.
Joomla 1.0 or 1.5 site? Start planning now
So if you have a Joomla 1.0 or 1.5 site, our advice is you need to start planning either migrating it to a later version or into another content management system, such as WordPress.
It’s not the end of the world and early versions of Joomla may stay stable for years, but why take the risk?
Our hosting company, Heart Internet, is advising all owners of Joomla 1.x sites to upgrade as soon as possible and they aren’t the only ones.
Knowledge Republic has been documenting the stream of hackings for some time: Case Study on: www.pa.gov.sg being hacked by HighTech Brazil HackTeam. This also covers vulnerable Wordpress installs, which we’ve talked about before.
For an alternative, and slightly less ‘The end is nigh’ view of things, this article from OsTraining weighs up the pro’s and cons of running outdated software.
How can I tell if my website is vulnerable to hacking?
This is relatively simple.
- Go to your website
- On a PC, right click on an area of blank space
- Select ‘View Source’ or ‘View Page Source’, depending on your browser.
You will see a stream of text but very close to the top you will see the Meta information. In Joomla 1.5 sites it usually says this:
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />
If this is present you have a vulnerable site. Contact us if you want us to identify whether your site is vulnerable.
Got a Joomla site? We can help
If you’re one of those affected by this then we can help you weigh up what to do and plan for the future.
Contact us for a no obligation talk through the options. Whatever you decide to do, do something.
If you have a later Joomla site – version 2.5 or 3.0 there’s no need to do anything as both are actively supported and will continue to be until at least 2014. They are also far easier to upgrade.
Recently we’ve been asked to look at a few sites built in WordPress, and have been surprised to find the software is years – yes, years – out of date.
Allowing your WordPress website to drift like this is a bad move that can leave your site open to hackers who could bring it down or worse.
Your site could be taken off search results, your reputation could be damaged but most of all it will take a lot of time to clean up the mess.
Wordpress is the most popular website platform in most of the world with good reason.
It’s free for a start, but also it can be extended with the help of plug ins, which allow custom functions like photo galleries or forums – just about anything you want.[caption id="attachment_526" align="alignright" width="300"] WordPress gives you plenty of warnings about updates to itself and its plug ins[/caption]
Another reason for its success is that WordPress is constantly moving forward, with a new version featuring improvements released every three to four months – the latest (3.5) was just last week – and sub versions to fix bugs and security issues in between.
Every major update also means the plug ins have to change, too.
That popularity means lots of people who like to hack websites devote a lot of time to finding holes in WordPress. Hackers share information and once they find a hole they will tell lots of other hackers.
When this has happened in the past the WordPress community has been quick to close the security hole by rolling out a new update that fixes the problem.
Asking for trouble
But if you don’t apply the update your site is basically sitting there waiting to be hacked. And the hackers will be looking for you.
Now we are not trying to scare you, or put you off using Wordpress, but if you or your web designer ignore this aspect of using WordPress then you are asking for trouble.
Wordpress itself does its best to warn users of new versions, but it’s amazing how many people ignore the warnings.
Even Google started warning website owners if they were running out of date Wordpress versions, and there were plenty of examples of people being caught out who should have known better.
For example the Reuters blog, which was hacked earlier this year and found to be running a version of WordPress that was two years out of date.
The result: Your website can be home to nasty software, advertising dodgy online drugs, hosting one of those fake banking/phishing sites or just taken over by someone else. In most cases you may not even know anything is wrong.
This can get your website blacklisted and removed from search results and the damage to your reputation can be immense.[caption id="attachment_527" align="alignright" width="197"] That’s a lot of out of date plug ins[/caption]
Sometimes the fault here lies with web companies themselves who sell a website to a customer but don’t explain that the software it runs on must be kept up to date.
One company we know of even told a customer to ignore the prompts to update the plug ins and Wordpress version – and warned them that if they updated and things went wrong they would be on their own.
In this case it seems the web company involved simply didn’t understand how to keep WordPress up to date – or the importance of doing so.
A Stitch in Time Saves Nine
Some customers are put off by the idea their website will need to be maintained that there will be a small cost associated with this but skipping this is a false economy.
After all doing the necessary back-ups and keeping everything up to date is a finite task that shouldn’t take long if done regularly.
Fixing a hacked website can be a long and involved process that could cost a lot – in time and money – to put right.
Or to put it another way, keeping Wordpress and your plug-ins up to date is the equivalent of taking your vitamins, but putting a hack attack right is open heart surgery.
Ask your web company
So if you already have a WordPress site find out what your web company is doing about back-ups and software updates. If you look after your own site then don’t ignore the warnings.
And if you’re thinking about having a WordPress site built for you, ask your web company what they are going to do about updating it and its plug-ins. If they don’t have an answer, then you might be better going somewhere else.
Otherwise there could be a lot of time and expense waiting for you down the road.
How to Keep WordPress Secure by Matt Mullenweg, co-founding developer of WordPress