In our previous post, we described various techniques used to attack WordPress-based sites. In this post, we’ll give some examples of what happens after the vulnerabilities have been exploited to hack into a website. The purpose is to continue to reiterate the lessons that blogs such as ours (see here, here and here) provide to alert the medical industry, specifically, and business, in general, to security issues that can lead to breaches and loss of business, reputation, and income.
It is worth recalling that WordPress is the world’s most popular content management system (CMS) powering ~60% of websites worldwide (that are known to use a CMS), and ~29% of all web sites. While it is hard to find the statistics on how many websites related to the medical industry use WordPress, it is likely that these could well be a substantial percentage of the total given the ease of setup and use associated with WordPress. The fact that many of these are smaller sites, often without much IT support (much less security support) makes them all the more vulnerable. This makes education about the security aspects of WordPress all the more necessary.
Despite the valiant efforts of the WordPress organization, vulnerabilities continue to exist and most exploits take advantage of the simplest techniques – infrequent updates of critical software, poor web site hygiene (easily broken passwords, retaining default options, turning off auto updates, etc.) and the use of vulnerable WordPress plugins and themes. (Hereafter, we also include plugins and themes when we talk of WordPress vulnerabilities, unless we need to specifically distinguish between these.) Sucuri.net, a website security company, noted that of the 11,485 infected websites that they analyzed in 1Q2016, 78% of these were built on WordPress of which ~56% were out-of-date (i.e., not running the latest version). The vulnerabilities were primarily in the plugins and themes.
Read the rest of this post »