Tuesday morning (6/19/2019) our team detected a few instances where administrator level users were being added to WordPress installs without proper permissions. In every case we knew the moment this happened and rectified the situation immediately before any serious damage was done. In a few cases we had to do a bit of cleaning, as the culprits were redirecting the urls to a ‘get my free site’ domain.
Thankfully, we were able to detect and stop the attack very quickly and ensure that any intruders were prevented further access.
After the attack was over we diagnosed that 5 of our clients had unauthorized access from the attack. We immediately reset the passwords for these accounts, locking out any intruders, and emailed the affected account holders with all the relevant information. If you have not heard from us, chances are you were not affected at all.
Our preliminary investigation shows that a critical vulnerability in a plugin allowed the attack. That plugin had an immediate security update and has been deemed safe by the WordPress community. This was not a localized incident, tens of thousands of sites were affected over the past few days across the web.
It’s important to point out that at Dojo Digital none of our managed websites are hosted alongside email or payment gateways. Security is our highest priority and we’ve never allowed those services to live on the same server.
Our team did an excellent job detecting, addressing, and mitigating this particular attack. We will continue to monitor and fight any future attacks.
However, if a hacker gets a hold of your username and password, there are limits to how effective this protection can be. Protecting yourself against attacks like this is important. Take the time to learn the basics, and take the steps outlined below to limit your risk:
1. Never use the same passwords across services.
Data breaches have become a constant in our modern lives, and if you use the same password across multiple accounts, there’s a good chance it’s out there on the dark web.
Once a password has been compromised hackers can access any of your other accounts that use it, and you don’t always know when you’ve been compromised.
2. Use a breach notification service
You can find out if your data has been compromised in any major breaches by entering your email addresses into a service like haveibeenpwned.com.
3. Use a password manager
4. Delete unnecessary admins from your sites.
Often, there are leftover administrators that simply don’t need elevated access after certain tasks have been carried out. These accounts should be removed or at least have their privileges de-elevated right away.
Please leave the accounts with @dojodigital.com emails though, as we are your ninja support champions!
5. Turn on two-factor authentication (2FA) wherever you can!
Most services that deal with sensitive information offer 2FA these days. It’s especially important that you enable this for critical services like your email. Likewise, we offer this premium service for your Managed WordPress installs. CLICK HERE and we’ll turn on two-factor authentication for websites you host with us.
The team at Dojo Digital