WordPress hacked by SA3D and how to prevent it

In the first half of 2017, you may have seen the message ”hacked by SA3D” around the web. What happened? Newer versions of WordPress include REST API, which offers many powerful new features and integrations. Unfortunately, serious security threats were identified with this features and many WordPress administrators were slow to respond to the security alerts. Google showed 236 000+ results worldwide and 900+ hacked results with a .Fi domain – the worlds most secure domain, including many tech companies. A quick update to WordPress core would have prevented this attack – as easy as pressing Update WordPress on the dashboard.

The popularity of WordPress (1/3 of the top million sites) makes a difference. Even worse, the minimalist approach of WordPress makes it rely heavily on (often free) plugins with varying quality. Each of the plugins can be used as an attack surface, and some plugins have historically had serious problems (for example, a banner slider allowed logging in as an administrator).
Web security requires attention. Luckily, it is not too complex.

Basic security practices go a long way. Have a strong password. Do not have usernames with ”Admin”, website or company name. Use the system under least needed privileges. Update regularly (or automatically) and immediately on all major security alerts. Set up another site for testing new plugins and themes. Have a separate database and user for each site. And so on…

Define responsibility for maintenance. Who is responsible for reviewing security alerts? Who is responsible for sharing security information within the organization? Who does the required technical updates? A first aid can be to delegate the first response to cloud-based firewall companies which have up-to-date security information from millions of sites and can block many threats.

Planning and testing recovery is important as any plugin may prevent the site from loading in addition to the security threats (by default, all plugins are loaded on every page load). There are many good free backup plugins for WordPress which can automatically backup to Dropbox or Google Drive. Cloud platforms, like Microsoft Azure, can also make recovery fast and easy. (Just remember to enable backups)
Include cleanup planning in recovery – what happens when you suspect your site security has been compromised? Changing passwords, checking usernames, verifying files and databases etc. Remember to test recovery so it will not be the first time when you actually need to do it.

Follow security alerts of your hosting provider, server OS vendors and the web platforms you are using. WordPress alerts are on their blog. Here in Finland, we have one of the best national communication authority which do a great job of identifying major threats: https://www.viestintavirasto.fi/en/

Do security testing during building and updates. You can also do the testing outside of development sprints, but you may have limited options to detect fix issues. A free, general testing tool is OWASP ZAP – you can check also our YouTube channel for a quick getting started guide.

Use automated monitoring. Sign up for Google Search console to get Google’s alerts on issues on your site. Consider using commercial automated monitoring tools, such as Pingdom.

Optional & recommended: Use a web partner with certified security process 🙂 One such web development company comes to mind with the name Kwork Innovations. A good partner will make sure the website is built and audited properly, will advise on further development, will ensure the hosting environment is set up properly and will respond to security alerts.