The FBI has warned WordPress users to patch any plug-in vulnerabilities or risk having their sites taken over and defaced by ISIS sympathizers.
The Feds claimed the defacements have so far affected the “web site operations and communications platforms” of news organizations, religious institutions, local and federal governments, foreign governments and more.
Whilst not particularly skilled, the hacks have nevertheless caused disruption, lost revenue and extra costs to repair, it added.
The plug-in flaws exploited in said attacks all apparently have patches available.
If left untouched, they could allow the following:
“Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future web site exploitation.”
Rather than go after specific businesses, the attackers are merely targeting those which have yet to patch the relevant vulnerabilities, the FBI said.
It continued:
“The FBI assesses that the perpetrators are not members of the ISIL terrorist organization. These individuals are hackers using relatively unsophisticated methods to exploit technical vulnerabilities and are utilizing the ISIL name to gain more notoriety than the underlying attack would have otherwise garnered.”
WordPress is often in the news after being attacked by cyber-criminals, most recently when a malicious iFrame injection directed users to a Pirate Bay copycat site which served up a banking trojan.
Sam Hartley, senior security consultant with 7 Elements, urged WordPress users to follow best practice steps such as configuring automatic updates; minimizing use of third party plug-ins; using an app firewall to detect and block attacks; and carrying out regular site security assessments.
Firms should also use a dedicated platform to host their sites separately from the regular corporate environment, in order to minimize risk, Hartley added.
“WordPress is used by many organizations safely by following good security practices,” he told Infosecurity by email. “Like any internet-facing system it is important to ensure it is hardened, monitored and maintained correctly.”