ISIS Hacked My Website

Cary, NC — A wave of malware has washed over the web, affecting small business, media properties, government and industry. Now, the FBI says they know who is behind it: ISIS.

ISIS Hackers?

In fact, ISIS has a hacking brigade. But, like the self-proclaimed Islamic State itself, most of its efforts are directed a regional targets in the Middle East.

However, lots of hackers around the world are suddenly claiming affiliation with ISIS.

Back in January, a group calling itself the CyberCaliphate and claiming association with ISIS took over the social media accounts of CENTCOM, the U.S. Central Command, as reported by Engadget. Very embarrassing.

Just yesterday, the same CyberCaliphate, also known as the Islamic State Hacking Division, took credit from hacking French broadcaster TV5Monde. This was a big hack that brought down 11 TV stations, some for almost 24 hours.

Story: French TV Network Hacked By Group Claiming Allegiance To ISIS

pro-isis-hackers-hack-french-tv-station-broadcast-website-facebook

ISIS WordPress Hack

ISIS has also been mentioned in a wave of WordPress attacks. The FBI issued a warning for publishers of WordPress websites:

Sucuri: FBI Public Service Announcement, WordPress Vulnerabilities

Secure Your Websites!

Whether this is a grand plot by some hard-pressed jihadists in Syria or just a wave of copycats, the surge in malware is undeniable. Take steps to clean and protect your website, because you might well be already infected.

1. Use Strong passwords – 12 characters or more. Use a password generator and password keeper app for convenience and security. We use 27 character passwords on some of our sites. We use LastPass.

2. Make Frequent Backups – This is a prudent recovery strategy in case the hack is so bad you can’t get into the back end. Or in case you mess up during remediation 😉 For WordPress, we use BackupBuddy.

3. Scan for Malware – Free and paid services exist to regularly scan your website for changes to files and known malware contaminations. Sucuri Site Check is a good place to start. For WordPress, we like Anti-Malware by Eli as well as WordFence.

4. Update Everything – Many hacks take advantage of vulnerabilities in older versions of software. Whether you use Nginx on a server of RevSlider on a website, older versions of everything have been hacked. Keep software and plugins up-to-date and stay safe.

WordPress Site Hardening Tips

If you have a WordPress website and think you’ve been hacked, here are some steps you can take in addition to the 4 steps up above.

  • 404 Detection – Set a threshold for visitors hitting lots of non-existent pages, i.e. 20 in 5 minutes = lockout
  • Ban IPs on HackRepair.com’s Blacklist – Database of known IPs used for malware
  • Brute Force Protection – Blunts hackers from trying unlimited numbers of passwords
  • Enable File Change Detection
  • Hide WordPress backend – Change crucial login files to a prefix other than “wp-“
  • Disable Directory Browsing – Stops visitors from browsing a directory where no index is present
  • Filter Long URLs – Long URLs can hide spammy commands
  • Disable PHP in Uploads – Upload directories are, by nature, writable. But usually we want pictures or media files, not PHP.

——————————————————————————————————

Hal Goodtree is a WordPress publisher and a Fellow at TechnologyTank.

1 reply
  1. Robert Campbell
    Robert Campbell says:

    I read a story that showed one of the BIGGEST problems with passwords: writing them down.
    During a broadcast on the French TV station, in the background, was a paper listing all the passwords to their Facebook, Youtube and other social media sites. (See: http://cdn.arstechnica.net/wp-content/uploads/2015/04/Screen-Shot-2015-04-09-at-6.08.36-PM-640×362.png). Story link: http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/

    Second, patterns and easy passwords: The second thing that was quickly observed was that the TV station used a password pattern – their YouTube password translated to: thisisthepasswordofyoutube — a long password for sure, but not secure in the slightest. What do you want to bet that their Facebook password was: thisisthepasswordtofacebook???

    This is tough stuff – and you’ll need the assistance of something like Lastpass or 1password (https://agilebits.com/onepassword). If nothing else, read this entertaining XCKD cartoon for some great advice:
    https://xkcd.com/936/ – you’ve been trained to think up passwords that are easy for computers to guess 🙂

Comments are closed.