Don’t panic, but you should check your WordPress website!
A recent blog on Sucuri.net – a cloud provider of website firewall and security services – has sparked a lot of attention in the media. Apparently, there’s been “a spike” in malware infected WordPress websites that deliver malware infections to innocent visitors who believe they are safe because they don’t browse porn or pirate movies websites, rather inconspicuous business websites or blogs.
We’ve known for years that bad security policies for deploying websites may eventually lead to your pretty online presence being hijacked and used for nefarious purposes – regardless if you’re using open source software or commercial packages to manage the online content (is anyone really using commercial website management systems nowadays?).
But why the attention all of a sudden? There have been similar spikes like this in the past… It seems to me that we’re going through a period of enhanced awareness about malicious activities performed online – especially since the outcome of a computer virus or malware infection has become “commercial”. Nowadays, if you learn how to embrace “the dark side” of the web, you can buy a Cryptolocker package for as little as a few hundred dollars, together with access to the automated infrastructure to host the scripts for delivering the infection, receive the ransom funds and deliver the clean-up key to the poor victim.
This is a really lucrative “business” and it hurts the general public much more than getting your computer frozen or invaded by pop-ups screaming you should buy Viagra or some other “health” inducing pill. And when people get hurt (having to pay money to access your files) they pay attention.
All this increased attention to the topic is also good business for the people providing countermeasures – such as firewalls and cleaning services. So, here’s why you see these nice blog posts and articles, so stop being so concerned that “they’re after us”.
However, don’t forget one important thing:
Your business website is NOT just a pretty online brochure that needs to exist and advertised so people can see how good you and your team are at doing what you’re doing. It’s a working, living piece of code – a software piece, sitting on a server, exposed to an Internet used by other 3BILLION people all over the world. It’s supposed to be interactive and lure the customer in clicking and doing things whilst visiting (for the benefit of inbound marketing and sales automation, obviously).
And when a lot of those 3BILLION people are very smart bad guys that want to make a buck (or a million) fast and easy, they will pick any not-so-secure and badly deployed website software system, break into it, enslave it and do their thing for as long as they can. And you won’t know anything until the day when almighty GOOGLE will put your website on the blacklist and no-one will come visiting for a few days or weeks.
So, yeah… don’t panic, but you should check that WordPress website of yours and see if the deployment was done right! Services like Sucuri.net are good at letting you know if you have a problem. Good protection against hackers starts with good security practices.
I know I am reviewing my WordPress deployments right now!
Have fun, and give us a yell if you need help…