The Not-So-Good, the Really Bad, and the Very Ugly
By Ryan Owens
Over the years we've helped rescue (far too many) clients from website hacking incidents, some of them quite serious. Every one of them utilized common web platforms such as WordPress, Drupal and Joomla, but each incident was also somewhat unique in nature and took advantage of different vulnerabilities. What is important to note about these hacking intrusions is that in most cases the client was not aware of the problem, having no idea that their site was distributing malware, or that their domain was sending spam, or that their email had been blacklisted.
"Hackers attack WordPress sites both big and small, with over 90,978 attacks happening per minute. WordPress is the most hacked CMS — with 83 percent of hacked websites using the WordPress platform." – Wordfence
According to Wikipedia, malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server or computer network. Malware does the damage after it is implanted or introduced in some way into a target's computer and can take the form of executable code, scripts, active content, and other software. The code is described as computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware, among other terms.
Wikipedia goes on to explain, "It is especially important to keep WordPress plugins updated because would-be hackers can easily list all the plugins a site uses, and then run scans searching for any vulnerabilities against those plugins. If vulnerabilities are found, they may be exploited to allow hackers to upload their own files (such as a PHP Shell script) that collect sensitive information.
Developers can also use tools to analyze potential vulnerabilities, including WPScan, WordPress Auditor and WordPress Sploit Framework developed by 0pc0deFR. These types of tools research known vulnerabilities, such as a CSRF, LFI, RFI, XSS, SQL injection and user enumeration. However, not all vulnerabilities can be detected by tools, so it is advisable to check the code of plugins, themes and other add-ins from other developers"
We've compiled this guide to show you the real emails, screenshots, and search engine reports so that you can see for yourself the common issues faced with these CMS systems.
In some examples we've blurred out the names to protect the innocent.
THE HACK: Malware
THE PLATFORM: WordPress
In this case, Google had detected malware on the client's WordPress site and had flagged it in search results and also put up this scary red warning page that popped up whenever someone tried to visit the client's website. The client found out about it only after this warning page was displayed on their website. Who knows how long it had been distributing malware or stealing credit card info, etc before it was detected? And even if you aren't aware of malware on your site, Google usually is. However it may take time for Google to discover and flag your website once it has been compromised. When they eventually do detect something malicious is installed it will stop sending traffic to your site until it has been fixed. Furthermore, you could potentially expose yourself or your company to certain legal liabilities.
THE FIX: Build a Custom Stratatomic Website
We were able to solve the problem for good when we launched a new, completely-custom HTML5 website and submitted the new site to Google in order to remove the warning.
THE HACK: Trojan Horse Domain Hijacking
THE PLATFORM: WordPress
This client, located in New Zealand, was completely unaware that their site was referring customers to illegitimate malware distributors and a complaint had been filed under the US Digital Millenium Copyright Act. As part of our due diligence when we launch a new website, we do a site-specific scan of their domain in Google's Search Engine Results Pages (SERP) to see how their site appears in the index and setup redirects as needed so that any broken links are minimized. What we found were pages and pages of hidden, secret URLs that were invisible on the site but were prevelant throughout the SERP pages. If a potential customer searched for the client on Google, they would encounter all of these nefarious links that would take them to illegitimate malware distributors, which in turn offered illegal software available for download and infected with viruses, malware, ransomware and other nasty stuff. The Chinese characters shown in the bottom search result show that this was most likely the result of black hat Chinese hackers. Unfortunately, this was not the first time we'd seen this (see below).
THE FIX: Build a Custom Stratatomic Website
Good thing we do a Google site search on behalf of our clients or they would have never realized this was happening. A new, custom HTML5 website developed by Stratatomic solved their WordPress headaches for good, and we cleaned up these SERP results by submitting a new site map to Google and requesting that these bad URLs be removed using our Google WebTools™ site management technology.
THE HACK: Malware
THE PLATFORM: WordPress + GoDaddy Web Hosting
Our client began receiving notices from their web host, GoDaddy, that informed them that their WordPress site contained known malware. This situation was previously unknown to the client. Fortunately their web host had detected the issue, but again we do not know how long this had been going on or what type of malware was being distributed. As you can see from the email, there were a lot of WordPress modules and extensions that were affected. Some of them were removed by the web host, however many others were not, as they were deemed integral to the site's operation and it would require a knowledgeable website administrator to further troubleshoot the problem. Unfortunately for the client, the current website developer was no longer returning their phone calls, which is all too often the case.
And by the way, GoDaddy is one of, if not the, worst web hosting companies extant. Combine WordPress and GoDaddy and you might as well just invite the hackers over for dinner. Just saying those two companies in the same sentence sends shivers down my spine. Read the reviews here on webhostinggeeks.com or just ask and we'll be glad to share some good horror stories with you.
THE FIX: Build a Custom Stratatomic Website
We were already busy working on a new, custom HTML5 website as the client kept receiving these disturbing emails from GoDaddy. When the new site was completed and launched we solved their WordPress issues permanently. We also transitioned their website to our secure, dedicated web hosting infrastructure that is SAS 70 Type II Certified and powered by the latest Apache HTTP Server technology, which is the backbone of the Internet and used by many of the largest eCommerce firms and government agencies, including Amazon, Google, IBM, NASA, NYSE, the US Department of Defense, and many more.
THE PROBLEM: Emergency Security Maintenance (Again)
THE PLATFORM: WordPress + WP Engine Hosting
A customer came to us after receiving a barrage of constant, worrying emails and notifications from WordPress. This particular one he forwarded to us indicates that a security situation had been discovered and exploited on the WordPress platform. Unfortunately, these warning messages had become a recurring thing for our client, and he had decided enough was enough - it was time to build a better website.
THE FIX: Build a Custom Stratatomic Website
We designed and built a new, completely custom HTML5 website for the client that stopped these pesky messages from WordPress and eliminated many of the usability issues and errors that plagued his previous site.
THE HACK: Customer Credentials Stolen
THE PLATFORM: WordPress + WP Engine Hosting
This was yet another troublesome email that same client received from WordPress. We're not sure which one broke the proverbial camel's back, but let's just say there were a bunch more where these came from. Any one of these warnings should be enough to trigger serious consideration as to the security or lack thereof inherent in this platform. In this instance, WordPress had experienced a hacking intrusion and an "unknown" number of their customers' credentials had been exposed and placed at risk of identity theft.
THE FIX: Build a Custom Stratatomic Website
The new website we built for our client completely eliminated the constant worry and headaches that kept him up at night. Simply put - your website should make you money, not cause heartburn.
THE HACK: Trojan Horse Domain Hijacking
THE PLATFORM: WordPress
Those Chinese hackers aren't playing around. Another local client, located in Greenville, had no idea that their site had been hijacked and was referring customers to illicit websites in China that distributed malware. Upon launch of the new site we created for them, we performed our usual site-specific scan of their domain in Google's Search Engine Results Pages (SERP) to see how their site appears in the index and setup redirects as needed so that any broken links are minimized. Again we found hidden, secret URLs that were invisible on the site but were all throughout the SERP pages. Searching for the client on Google would return countless illegitimate URLs that didn't lead to the client's website but rather took them to a Chinese website that would begin to immediately download infected files to the customer's computer. Not only does this do irreperable harm to the customer's computer, but it reflects poorly on the client as well. The Chinese characters shown on the third row of the search results below are a dead giveaway of who is behind this.
THE FIX: Build a Custom Stratatomic Website
Unfortunately we, and the client, have no way of knowing how long this scheme had been going on or how many customers had been affected. Fortunately we do a Google site search on behalf of our clients whenever we launch a new website and we uncovered this scam before it could do further damage. The new, custom HTML5 website created by Stratatomic eliminated these WordPress vulnerabilities permanently, and we cleaned up these SERP results by submitting a new site map to Google and requesting that these bad URLs be removed using our Google WebTools™ site management technology.
THE HACK: "Shocking" Automated Malware Attack
THE PLATFORM: Drupal
This incident wasn't one that personally affected one of our clients, but it isn't hard to find these or hear about them for any of these common open-source platforms such as WordPress, Drupal or Joomla. They all work the same basic way, which means they all suffer the same inherent vulnerabilities, flaws, and exploits. A quick Google search for will turn up millions of these reports. We've included this one because it is rather scary if you read it closely:
THE FIX: Don't Rely On Free Software!
As stated in the Sucuri™ Website Hacked Trend Report (2017), "This user adoption however brings about serious challenges to the Internet as a whole as it introduces a large influx of unskilled webmasters and service providers responsible for the deployment and administration of these sites." As the report goes on to say, "Out of the 11,000+ infected websites analyzed, 75% of them were on the Wordpress platform and over 50% of those websites were out of date. Compare that to other similar platforms that placed less emphasis on backwards compatibility, like Joomla and Drupal, the percentage of out-of-date software was above 80%."
Other highlights from the Sucuri™ report include, "As of March 2016, Google reports that over 50 million website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing. PhishTank alone flags over 2,000 websites a week for phishing. These numbers reflect only those infections that have an immediate adverse effect on the visitor (i.e., Drive by Download, Phishing) and do not include websites infected with Spam SEO and other tactics not detected by these companies."
If you're ready to see the difference that Stratatomic can make in your business, contact us at 864.271.7021 or click here to send us a message.
According to W3Techs, a service run by Austrian consulting firm Q-Success (that surveys the top 10 million sites ranked on Alexa):
WordPress continues to be the leading infected website CMS (83% of all websites cleaned in 2017). - Sucuri
"73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools." – WpWhiteSecurity.com
"Hackers attack WordPress sites both big and small, with over 90,978 attacks happening per minute." – Wordfence
"The four most common WordPress malware infections are Backdoors, Drive-by downloads, Pharma hacks, and Malicious redirects." – Smashing Magazine
"Only 39% of WordPress websites are running the most current version of the software (4.8)." – WordPress
"Only around 40 percent of WordPress sites are up to date." – TorqueMag.io
"If you can protect yourself against plugin vulnerabilities and brute force attacks, you are accounting for over 70% of the security problem." – Wordfence.com
"Ransomware attacks increased by 36 percent in 2017." – Symantec.com
"Every day, Safe Browsing discovers thousands of new unsafe sites. Many of these are legitimate websites that have been compromised by hackers. Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week." – Google
"According to a recent report by wpscan.org, of the 3,972 known WordPress security vulnerabilities:
52% are from WordPress plugins
37% are from core WordPress
11% are from WordPress themes" – ithemes.com
"41% were hacked through a security vulnerability on their hosting platform." – wpwhitesecurity.com
In January 2017, security auditors at Sucuri identified a vulnerability in the WordPress REST API that would allow any unauthenticated user to modify any post or page within a site running WordPress 4.7 or greater.
In March 2015, it was reported by many security experts and SEOs including Search Engine Land that a SEO plugin for WordPress called Yoast which is used by more than 14 million users worldwide has a vulnerability which can lead to an exploit where hackers can do a Blind SQL injection.
Stefan Esser has worked in several different security fields over the years, and is very well-known and respected within the security arena. He has been involved in several web projects (PHP/Java/Python/Ruby) which resulted in the PHP Hardening-Patch, the Suhosin PHP Security Extension and finally in the Month of PHP Bugs. Recently, he took part in the launch of a new web application security company "SektionEins GmbH".
"I think the WordPress software is the best blogging software around from an end user's perspective. Its GUI is full of eye-candy and features that are not present in other blog software. But wearing my security hat, I see past this eye-candy onto the code and see several bad design decisions. This starts with how they interface with the database. Additionally, I consider some of their features quite dangerous. I personally dislike it when software encourages its users to have writeable files within the document root. WordPress's feature to edit files/templates on the server does exactly this. The problem with this is that when I take over the admin account of a WordPress blog, usually nothing stops me from executing any PHP code on the system. And from that it is often only a small step to control the whole server."
"WordPress is a software for end users with low or no technical know how. Of course there are also admins and developers using it, but the majority of WordPress users do not read security mailing lists. They will usually not know about all the security flaws that were found. And I am sure the majority of them will just upgrade if they learn about the security update and not think much about it. The majority do not care about these vulnerabilities until their own blogs get hacked, and even then, they might simply reinstall and start over. That said, I believe that the security holes in WordPress might scare some developers."
Millions of websites threatened by highly critical code-execution bug in Drupal
February 2019 / Ars Technica - Millions of sites that run the Drupal content management system run the risk of being hijacked until they're patched against a vulnerability that allows hackers to remotely execute malicious code, managers of the open source project warned.
CVE-2019-6340, as the flaw is tracked, stems from a failure to sufficiently validate user input, managers said in an advisory. Hackers who exploited the vulnerability could, in some cases, run code of their choice on vulnerable websites. The flaw is rated highly critical.
Drupal is the third most-widely used CMS behind WordPress and Joomla. With an estimated 3 percent to 4 percent of the world's billion-plus websites, that means Drupal runs tens of millions of sites. Critical flaws in any CMS are popular with hackers, because the vulnerabilities can be unleashed against large numbers of sites with a single, often-easy-to-write script.
In 2014 and again last year, hackers wasted no time exploiting extremely critical code-execution vulnerabilities shortly after they were fixed by Drupal project leaders. Last year's "Drupalgeddon2" vulnerability was still being exploited six weeks after it was patched, an indication that many sites that run on Drupal failed to heed the urgent advice to patch.
In late March 2018, a patch for vulnerability CVE-2018-7600, also dubbed Drupalgeddon2, was released. The underlying bug allows remote attackers without special roles or permissions to take complete control of Drupal 6, 7, and 8 sites. Starting early April, large scale automated attacks against vulnerable sites were observed, and on April 20th, a high level of penetration of unpatched sites was reported.
While Drupal's site boasts over 30,000 downloadable modules, searching the Drupal module directory finds many that are incomplete abandoned projects and do not work at all, only work for an outdated version due to lack of backward compatibility, or are unusable due to serious bugs. This is due to the open source nature of Drupal, and the fact that anyone is free to start a module and publish it on drupal.org. Modules with an active maintenance team are often highly polished, secure, and nearly bug free. Recent changes to the drupal.org website now let users search for modules, themes, and distributions, while filtering results by stability.
Joomla Hack Report
If your website is based on the popular Joomla content management system, make sure you have updated your platform to the latest version released today. Joomla, the world's second popular open source Content Management System, has reportedly patched a critical vulnerability in its software's core component. Website administrators are strongly advised to immediately install latest Joomla version 3.7.1, released today, to patch a critical SQL Injection vulnerability (CVE-2017-8917) that affects only Joomla version 3.7.0
The SQL Injection vulnerability in Joomla 3.7.0 was responsibly reported by Marc-Alexandre Montpas, a security researcher at Sucuri last week to the company.
According to the researcher, 'The vulnerability is easy to exploit and doesn't require a privileged account on the victim's site,' which could allow remote hackers to steal sensitive information from the database and gain unauthorized access to websites.
Since hackers would not take much time to exploit this vulnerability against millions of websites, you are advised to download the latest version of Joomla for your website and inform others about the release of critical patch update as well.
Drupal Hack Report
