This post is for people that own websites or visit websites, which these days is pretty much anyone correct?
As you may or may not know I run a hosting company called That One Hosting – one of the biggest issues I see on any hosted sites is that people are running the WordPress platform and neglecting to update the software itself or the numerous plugins and themes that are added to the site. Let me explain why this is critical…
First off I’m not knocking the WordPress platform, in fact I’ve done several training courses on it as well as utilize it myself.
What I am saying is many times we add plugins to the site to add features or functionality to the site. Or we try out different themes to customize the site. In doing so we tend to leave unneeded themes and plugins installed which adds bloat to the site but also gives more opportunity for someone with less than honorable business practices to gain access to your site.
Let me explain what I mean a bit further. You see WordPress is open source software, meaning that the code is available for anyone to access so that they can create plugins and themes and customization for everyone to utilize. While this is a great thing it also allows those with the right skills to find security holes in plugins and themes that others have developed unknowingly leaving a security risk to your site if you so chose to use that plugin.
The plugins are easily searchable via any search engine so once a hacker knows of this vulnerability they have a smorgasbord of sites to gain access to use the resources which brings up the next point.
Why would they WANT to gain access to my site? The answer is this they are generally in business for unethical purposes. They gain access to your site and set up “shop” behind the scenes. By shop I mean the create webpages and mini sites in sub folders of your site that you may never know about until it’s too late. Not only do they set up webpages from your site they will also use your mail resources to send spam from your site to promote their pages. They are using your resources free of charge and untraceable to who is actually using it.
The type of sites they set up are to sell body enhancing pills and supplements, or pornography or even what is referred to as phishing (pronounced fishing) sites. Now you are probably asking yourself why is this called phishing. As I mentioned early they set up a website on a sub folder of your site and in many cases they’re actually replicating a highly respectable site such as a bank or credit card company which allows them to start “phishing” for information.
For example they will create an exact replica of American Express and put it on your site they will then send out emails from your website that LOOK exactly like an email you would receive from American Express except all the links are to the pages on your site.
Many people don’t pay attention to the url they will visit the site – see that it LOOKS like American Express and attempt to log in to update their information. What they’re really doing is providing their username and password to the hacker so they can now gain access to their real account allowing them to get replacement cards etc.
Scary huh? This happens more than you would like to believe.
If you are a website visitor be sure the site you are visiting for financial information has a padlock in the url or starts off https. If you are clicking a link in an email be sure you are going where you think you should be going. If you receive an email and are suspicious contact the company sending it. It’s always better to sway to the side of caution.
If you are a website owner there are some things you can do to prevent this activity on your website.
- First off make sure your username is not something like Admin, this is generally the first thing they try.
- Use a password that is not easily figured out.
- Make sure to keep WordPress and all plugins and themes up to date.
- Make sure your site and or FTP password is strong enough
- Keep an eye on the size of your site resources.
Those are just a few suggestions I would be sure to make sure you are creating backups of your site just in case you you need to restore your website. If you are running multiple WordPress sites I would suggest running http://infinitewp.com/ this will help you keep your sites up to date.