FBI is warning WordPress users against ISIS (self-proclaimed Islamic State of Iraq and al-Shams) exploiting the websites and possibly taking control of them. According to the intelligence agency, the group is affecting "Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites."
FBI ISIS warning and defense mechanism:
Federal Bureau of Investigation explains than although these "defacements demonstrate low-level hacking sophistication", they could certainly be disruptive to businesses. Agency is recommending users to patch the vulnerable plugins at the earliest. However, there doesn't seem to be a serious concern about it because all the identified exploits used by ISIS sympathizers have patches already available. The level of concerns definitely depends on how frequently you update your sites and plugins.
It is thus only recommended to keep your sites and plugins updated as using the vulnerabilities, hackers could bypass security restrictions, gain unauthorized access, and inject malicious scripts to disrupt communications and networks. Remember these outdated plugins also were the reason for over 100,000 WordPress sites being injected with malware, also pushing Google to blacklist over 11,000 domains!
- Read: Critical WordPress Plugin Bug Helps Hackers Serve Malware on Over 100,000 Sites
According to the agency, it is not ISIS itself but the organization's sympathizers carrying out these malicious activities. Here is one check-list outlined by the caring folks at FBI that could help you keeping your site's security up to date:
The FBI recommends the following actions be taken:
- Review and follow WordPress guidelines:
http://codex.wordpress.org/Hardening_WordPress- Identify WordPress vulnerabilities using free available tools such as
http://www.securityfocus.com/bid,
http://cve.mitre.org/index.html,
https://www.us-cert.gov/- Update WordPress by patching vulnerable plugins:
https://wordpress.org/plugins/tags/patch- Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack
- Confirm that the operating system and all applications are running the most updated versions
Bottom-line: just keep your sites always updated to the very latest versions!
- Source: Federal Bureau of Intelligence: FBI ISIS notice
