WordPress hacked by SA3D and how to prevent it

In the recent months, you may have seen the message on the left around the web. What happened? Newer versions of WordPress include REST API, which offers many powerful new features and integrations.

Unfortunately, a serious security threats were identified and many WordPress administrators were slow to respond to the security alerts. Google still shows 236 000+ results worldwide and 900+ hacked results with a .fi domain — the worlds most secure domain including many tech companies. A quick update to WordPress core would have prevented this attack.

The popularity of WordPress (1/3 of top million sites) makes a difference. Even worse, the minimalist approach of WordPress makes it rely heavily on (often free) plugins with varying quality. Each of the plugins can be used as an attack surface, and some plugins have historically had serious problems (for example, a banner slider allowed logging in as an administrator).

Web security requires attention. Luckily, it is not too complex.

Basic security practices go a long way. Have a strong password. Do not have usernames with “Admin”, website or company name. Use the system under least needed privileges. Update regularly (or automatically) and immediately on all major security alerts. Setup another site for testing new plugins and themes. Have a separate database and user for each site. And so on…

Define responsibility of maintenance. Who is responsible for reviewing security alerts? Who is responsible for sharing security information within the organization? Who does the technical updates required? A first aid can be to delegate the first response to cloud-based firewall companies which have up-to-date security information from millions of sites, and can block many threats.

Planning and testing recovery is important as any plugin may prevent the site from loading in addition to the security threats (by default, all plugins are loaded on every page load). There are many good free backup plugins for WordPress which can automatically backup to Dropbox or Google Drive. Cloud platforms, like Microsoft Azure, can also make recovery fast and easy. (Just remember to enable backups)

Include clean-up planning in recovery — what happens when you suspect your site security has been compromised? Changing passwords, checking usernames, verifying files and databases etc. Remember to test recovery so it will not be the first time when you actually need to do it.

Follow security alerts of your hosting provider, server OS vendors and the web platforms you are using. WordPress alerts are in their blog. Here in Finland we have one of the best national communication authority which do a great job of identifying major threats: https://www.viestintavirasto.fi/en/

Do security testing during building and updates. You can also do testing outside of development sprints but you may have limited options to detect fix issues. A free, general testing tool is OWASP ZAP — you can check also our YouTube channel for a quick getting started guide.

Use automated monitoring. Sign up to Google Search console to get Google’s alerts on issues on your site. Consider using commercial automated monitoring tools, such as Pingdom.

Optional & recommended: Use a web partner with certified security process :) One such web development company comes to mind with the name Kwork Innovations. A good partner will make sure the website is built and audited properly, will advice on further development, will ensure the hosting environment is setup properly and will respond to security alerts.

Security is one of the (many digitalization related) things near my heart. Chat, tweet, email or call — antti@kwork.me +358 44 323 7002

Kwork Innovations was the first to receive Secure Software Development Process certification by the Finnish Software Industry on annual meeting of Technology Industry and Software Industry — Digi Date — on 29th September 2016.

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store