WordPress sites are at significant risk of getting hacked as warned by the FBI to the WordPress users to patch their plugins. This suggestion of precaution was issued after many private and government websites were hacked in many countries including those in the US and Europe.
These hackers have been believed to be linked to terrorist organizations like ISIS as the hacked websites had uploaded images supporting them. The FBI issued this statement: “Continuous Website defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS).” And also told that all WordPress sites have a significant threat of being hacked as the security measures on WordPress websites are not sufficient to completely prevent hacking.
A particular niche of WordPress sites are not being targeted rather they used some plugins’ vulnerability to take control of the site which is the most used way to do it as said by the FBI “easily exploited by commonly available hacking tools.”
ISIL DEFACEMENTS EXPLOITING WORDPRESS VULNERABILITIES
The FBI suggested that users should keep their websites updated and also avoid using third party outdated plugins which were not specifically named but told that they are the basis of many such incidents.
Some of the most vulnerable plugins according to Securi (a Complete Website Security Provider) are (RevSlider had more than 100,000 cases of hacking.):
1. Slider Revolution Responsive WordPress Plugin
This plugin features tons of unique transition effects, an image preloader, video embedding, autoplay that stops on user interaction and lots of easy to set options to create your effects.
Solutions:
- Patch for Revolution Slider
- RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise
- Critical Security Vulnerability Found in WordPress Slider Revolution Plugin, Immediate Update Advised
2. FancyBox for WordPress
Seamlessly integrates FancyBox into your blog: Upload, activate, and you’re done. Additional configuration is optional.
Updates and Solutions
Zero-day in the Fancybox-for-WordPress Plugin
3. MailPoet Newsletters
Create newsletters, automated emails, post notifications, and autoresponders. Capture subscribers with our signup widget. Drop your posts, images, social icons in your newsletter. Change fonts and colors on the fly. A simple newsletter solution for WordPress
Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)
MailPoet Vulnerability Exploited in the Wild – Breaking Thousands of WordPress Sites
4. GravityForms
Gravity forms is also affected by the vulnerability. Here are more details about it.
Malware Cleanup to Arbitrary File Upload in Gravity Forms
Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin
5. WP Symposium Pro Social Network plugin
This is the ultimate social network plugin for WordPress. You can create your social network, on your WordPress website.
Some examples of major websites getting hacked by the same people include the US central command twitter feed and French TV5Monde’s website and Facebook page which shows that to what scale can these hackers hack sites. These threats have also caused the web hosting providers to beef up their security measures, so be sure to choose a hosting that provides sufficient security measures for their users.
Important Note:
With the release of WordPress 4.1.2 and to overcome multiple vulnerabilities, one of which could allow a site to be compromised by a remote attacker. WordPress 4.1.1 and earlier are affected by this vulnerability.
It is highly recommended that you must read the WordPress Security Release and apply the necessary changes to your WordPress powered website.