The Bloody Website Defacement Battle: “ISIS” Hackers vs. WordPress


Dan Ennis CEO


Police and FBI are investigating defacement attacks on numerous North American websites in which attackers placed an ISIS flag banner on website home pages and played an Arabic song in the background, as reported by NBC News.

The sites appear to have one thing in common: they are all built on the WordPress content management platform.

WordPress is by far the most popular CMS. As of February 2015 over 23% of the websites in the world are built on WordPress. WordPress is an Open Source platform that offers thousands of third-party plugins, causing it to be extremely vulnerable, with hundreds of thousands of web-based attacks executed every year.

In 2014 a bug in MailPoet, a WordPress email plugin, resulted in 50,000 sites being hacked by injecting a PHP backdoor.  SoakSoak, one of the most publicized WordPress attacks in 2014, took advantage of a bug in a popular slider plugin and as a result over 100,000 sites were hacked. More recently, Slimstat, an analytics plugin, was found to be vulnerable to attacks exposing over 1M WordPress websites.

According to NBC, the alleged ISIS attacks were made by mainstream hackers who used the ISIS names to gain attention. They executed a defacement attack, in which hackers change the appearance of a web page. Defacement is executed via a Web-based attack such as a SQL injection, that allows the attacker to execute commands on the server or database in order to changes the site’s appearance.  Attackers may also execute second order Cross Site Scripting (XSS), which would “fool” the Web Server to fetch content from the attacker server replacing the original content, thereby changing the page’s appearance. Trojan inside the network may execute defacement by identifying Web servers on the network and attempting to override files on servers. Trojans can be introduced, for example, by an employee distributing them from am infected flash drive.

The DRCC Defacement notice on Twitter


Eliminating Defacement in WordPress sites

Eliminating defacement attacks on a WordPress site is extremely difficult because of the vulnerable nature of the platform. Administrators should continuously check for the appearance of unknown files and directories and monitor them for changes.

Patching: the most conventional and straightforward approach is patching. WordPress and its plugin providers issue patches that fix security bugs once they’re discovered. Security administrators and website administrators should keep WordPress and its plugins always updated to the latest versions.

However, patching does not guarantee security because it cannot protect against zero-day attacks. Both SoakSoak and the MailPoet attacks are undocumented, zero-day exploits. These vulnerabilities were unknown prior to the event, and the plugin providers were obviously not prepared with a patch. Once a zero-day vulnerability is discovered, security managers and website owners are exposed to attacks until a patch is, hopefully, provided.

Read-only Web Server account: Web administrators can reduce the risk of defacement by limiting the web server account to read-only permissions.

Using Security Solutions

Using best practices may eliminate SQL injections, but they will not prevent other exploits such as unhardened web servers allowing hackers to access WordPress administrator permissions.

Security solutions offer the most comprehensive and advanced options for eliminating zero-day defacement attack. They monitor web pages for changes and generate alerts at any sign of potential defacement. Some of their features are:

Color Persistence Monitoring:  the security solution would generate a color stamp for the page and monitor it. Unexpected changes may be a sign of defacement and will be alerted. However, the color test is unlikely to detect banner insertion, as in the defacement of the DRCC site hack.

DOM Inspection: inspecting the document object model (DOM) before serving a page to a user will reveal changes to page structure indicating defacement.

Digital Signing and Monitoring of Web Pages: Advanced Web Application security solutions scan the site and generate a comprehensive digital signature based on multiple properties such as resource structure, amount external resource count, number of scripts on the page and additional information combined to validate page authenticity. Any unplanned changes will immediately be alerted.

Auto-protection: advanced defacement protection will not only alert but revert to a valid version of the site or, even better, will serve a secure, cloud-based version of the site that cannot be altered at all and completely eliminates defacement.

Avoiding False Positives: avoiding false positives is a key consideration when evaluating defacement mitigation solutions as valid changes to the website may trigger alerts or can be blocked. To avoid false positives, solutions must combine multiple measure of defacement identification and mitigation out of the list above.

How does your organization deal with WordPress vulnerabilities?