FBI Issues WordPress Warning, Sites Are Vulnerable to Hacker Attacks

FBI has urged WordPress users to patch plugins for the popular content management system as early as possible to avoid getting hacked or defaced.

The warning follows a series of defacement in March that affected several websites on a global scale. A majority of the sites hacked were from Europe and America, and varied from government to community websites without any specific target group. Defaced websites were usually covered with images supporting the extremist group known as ISIS or ISIL and the hackers claimed to be linked to the extremist group.

The warning follows a series of defacement in March that affected several websites on a global scale

According to the FBI, all WordPress sites are vulnerable to these or any other hack attacks. The notice published by the FBI stated “Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS).”

The hackers are employing unsophisticated methods to exploit the website vulnerabilities. FBI states that the attackers are not members of the extremist group but are ISIS sympathizers and some of the hackers are utilizing the ISIS name to gain notoriety which would have been difficult with such level of hacks.

The websites under attack were not of a similar name or business type. The only common link amongst all the victims was that the websites employed WordPress plugin vulnerabilities that, according to FBI, are “easily exploited by commonly available hacking tools”. The vulnerabilities could allow any hacker to take control of the system.

WordPress plugins are the root cause for most security incidents so ensure that you’re up to date

FBI did not mention the vulnerable plugins that were vulnerable to attacks for security reasons, but mentioned that patch updates were available for identified vulnerabilities. Outdated third-party plugins are a common vulnerability allowing hackers to take control over WordPress websites and there is no better time than the current one to take all safety precautions possible to avoid hack attacks and replace those plugins.

According to the security firm Securi, commonly exploited plugins are

  • RevSlider
  • GravityForms
  • FancyBox
  • WP Symposium
  • Mailpoet

RevSlider alone was the cause of over 100,000 attacks last year and resulted in Google blacklisting over 10,000 websites.

A French television TV5Monde’s website and Facebook page, broadcasted in over 200 countries, were hacked recently which resulted in halted operations for quite some time. In January, ISIS allegedly successfully hacked the US Central Command Twitter feed. Hence, it’s prudent that WordPress sites get their plugins patched as soon as possible and reduce the possibility of hacks or defacements.

He is the Editor at ProPakistani.

  • Its better to enable auto update of wordpress plugins from the auto installer called Softaculous (available inside cPanel)