Just spotted an article in Forbes that caught my attention: Critical 'Backdoor Attack' Warning Issued for 60 Million WordPress Users; (credit Davey Winder, Senior Contributor).
The article highlights an ongoing, escalating hacking campaign targeting WordPress websites. In progress since July, it started out pushing sketchy ads and has evolved into something much more nefarious.
According to Defiant Threat Intelligence, "the campaign has added another script which attempts to install a backdoor into the the target site by exploiting an administrator's session." With admin access, the bad guys can basically run wild.
I won't go into the technical minutia as to how this hack is engineered but here's a link to the Forbes article if you want to read more of the gory details: Forbes Article
Whether your site is running on WordPress or not, there are several steps you should take now to keep your website as safe and secure as possible:
1) Update your site's software with the latest patches, including updates for any plugins. (Side note: WordPress claims over 50,000 plugins are available. However, many of them are old and may not be supported or patched at this point. This is why most WordPress vulnerabilities are related to plugins.)
2) Use a web application firewall; this will help block cross-site scripting attacks.
3) Set up two-factor authentication for your admin access. (We suggest two-factor authentication for all of your logins but especially for admin access.)
4) Stay alert to new threats; the bad guys never sleep.
If you think it's only the big name websites that are at risk, the Forbes article made a very important point: "Don't think that just because you are a little fish in a big pond that the cybercrime sharks won't bite you; they will. Criminals are always probing sites for ways to compromise them, either to use for serving malicious adverts, redirecting to other malicious websites or to get a foothold that can be leveraged as part of a bigger attack plan."
We couldn't have said it better.