Editor’s Note: This post was first published by Hal Goodtree on Technology Tank.
Cary, NC — A wave of malware has washed over the web, affecting small business, media properties, government and industry. Now, the FBI says they know who is behind it: ISIS.
In fact, ISIS has a hacking brigade. But, like the self-proclaimed Islamic State itself, most of its efforts are directed at regional targets in the Middle East.
However, lots of hackers around the world are suddenly claiming affiliation with ISIS.
Back in January, a group calling itself the CyberCaliphate and claiming association with ISIS took over the social media accounts of CENTCOM, the U.S. Central Command, as reported by Engadget. Very embarrassing.
Just yesterday, the same CyberCaliphate, also known as the Islamic State Hacking Division, took credit from hacking French broadcaster TV5Monde. This was a big hack that brought down 11 TV stations, some for almost 24 hours.
ISIS WordPress Hack
ISIS has also been mentioned in a wave of WordPress attacks. The FBI issued a warning for publishers of WordPress websites:
Secure Your Websites!
Whether this is a grand plot by some hard-pressed jihadists in Syria or just a wave of copycats, the surge in malware is undeniable. Take steps to clean and protect your website, because you might well be already infected.
- Use Strong passwords – 12 characters or more. Use a password generator and password keeper app for convenience and security. We use 27 character passwords on some of our sites. We use LastPass.
- Make Frequent Backups – This is a prudent recovery strategy in case the hack is so bad you can’t get into the back end. Or in case you mess up during remediation For WordPress, we use BackupBuddy.
- Scan for Malware – Free and paid services exist to regularly scan your website for changes to files and known malware contaminations. Sucuri Site Check is a good place to start. For WordPress, we like Anti-Malware by Eli as well as WordFence.
- Update Everything – Many hacks take advantage of vulnerabilities in older versions of software. Whether you use Nginx on a server of RevSlider on a website, older versions of everything have been hacked. Keep software and plugins up-to-date and stay safe.
WordPress Site Hardening Tips
If you have a WordPress website and think you’ve been hacked, here are some steps you can take in addition to the four steps up above.
- 404 Detection – Set a threshold for visitors hitting lots of non-existent pages, i.e. 20 in 5 minutes = lockout
- Ban IPs on HackRepair.com’s Blacklist – Database of known IPs used for malware
- Brute Force Protection – Blunts hackers from trying unlimited numbers of passwords
- Enable File Change Detection
- Hide WordPress backend – Change crucial login files to a prefix other than “wp-“
- Disable Directory Browsing – Stops visitors from browsing a directory where no index is present
- Filter Long URLs – Long URLs can hide spammy commands
- Disable PHP in Uploads – Upload directories are, by nature, writable. But usually we want pictures or media files, not PHP.
Hal Goodtree is a WordPress publisher and a Fellow at TechnologyTank.