- Review as well as follow WordPress guidelines.
- Identify WordPress vulnerabilities using free available CVE tools at Security Focus, Mitre, and US-Cert.
- Update your WordPress websites by patching vulnerable plugins.
- Run all software as a non-privileged user, i.e. without administrative privileges, in order to reduce the effects of a successful attack.
- Confirm that you are running the most updated versions of the operating system and all applications.
"ISIS is after you."
Yes, you heard right. The United States Federal Bureau of Investigation (FBI) is warning WordPress users to patch vulnerable plugins for the popular content management system before ISIS exploit them to display pro-ISIS messages.
According to the FBI, ISIS sympathizers are targeting WordPress sites and the communication platforms of commercial entities, news organizations, federal/state/local governments, religious institutions, foreign governments, and a number of other domestic and international websites.
Targets seem to be random: They are not linked to particular name or business.
The attackers are sympathizers and supporters of ISIS (also known as ISIL), not actual members of the terrorist organization. They are mostly unskilled people and are not doing much hard work — Just leveraging known WordPress plugin flaws in commonly available hacking tools.
These vulnerabilities have already been fixed by WordPress developers, but individual Website owners have failed to install the patches.
Want to know the best part?
The software patches for these identified WordPress vulnerabilities are available. So in order to avoid an attack on your website is pretty simple — Just update your WordPress installation and its plugins now.
Most of these flaws allow hackers to gain unauthorized access, inject scripts, bypass security restrictions, and steal cookies from PCs or network servers. This lets a malicious actor install malware, tamper with data or creates new accounts with full user privileges for affected websites.
It gets worse:
In addition to exploit vulnerable WordPress plugins, pro-ISIS sympathizers are also creating fake government websites to trick users into handing over their personally identifying data, which lead them to identity theft.
The fraudulent criminal websites appear at the top of a search engine's results, prompting the victims to click on the fake sites and giving their sensitive data. The scam site usually charges a fee to complete the service requested, which encourage the victims to send their more personal data further.
Before a victim realizes it is a scam, the money has already been funneled out of their bank accounts and their personal identities have been compromised, which can be used by attackers for any number of illicit purposes.
What's the bottom line?
Take your security seriously and keep yourself protected from vulnerabilities that would lead your websites to a hack.
How? It's quite simple.
Always look for the latest security patches and if you find any, just upgrade your website then and there. Don't wait for an invitation or announcement. Not only ISIS, but also even regular hackers can target your website if you have outdated widgets or older software support.
Moreover, the best way to avoid this kind of scam:
Search for reviews of the website you want to interact with, and always Stay Updated on the latest scams and happenings around the world.
More importantly, the FBI recommended the following quick and simple steps to protect your websites against attack in an announcement published Tuesday: