When the business discussion turns to website security, participants most often possess one of two perspectives; either "it's a priority," or "it’s never gonna happen to me". Too often, the latter mindset is driven by the following argument:
"Cyber-attackers only target large, global corporations or famous websites. I’m only a small website; I have nothing to worry about. There is no way I’m ever going to be hacked."
These statements, either alone or in conjunction, couldn’t be farther from the truth.
Every Website is a Potential Target For Cyber-Attacks
Sucuri’s website security analysis performed throughout 2019 revealed that, in a growing number of instances, cyber-attackers are leveraging known vulnerabilities in software applications and extensible components - such as website plugins and themes. When initiated, these cyber-attacks are massive, automated campaigns that exploit vulnerabilities; regardless of whether the targeted website is big or small.
What Are Extensible Components? Extensibility is a software engineering and systems design principle that allows for a software to experience future growth. Because most software systems are long-lived, and are expected to be modified to introduce new features and functionalities, extensible components enable developers to expand or add to the software’s capabilities. This could include defining new abilities, new data types, and new formatting markup tags.
Among the primary infection vectors are vulnerable third-party extensible components and software defects. These are often targeted because of the improper implementation of the function update_option(). According to the cyber-security experts at Sucuri, stored cross-site scripting attacks and login administration bypasses are the most common vulnerabilities exploited using this attack vector.
Cross-site Scripting Attacks
In a Cross-site Scripting (XSS) code injection attack, the attacker's objective is to execute malicious script/s into the web browser of a victim by injecting malicious code into a legitimate web page or web application. Unknowingly, the web page or web application becomes a vehicle to deliver the malicious script to a victim’s browser.
Cross-site Scripting may also be used to vandalize a website. In some instances, cyber-attackers will use injected scripts to change the content of web pages or even redirect the visitor’s browser to another web page.
XSS attacks are possible in VBScript, ActiveX, Flash, and CSS.
Login Administration Bypasses
In network security, a bypass is a flaw in a security system that allows an attacker to circumvent security measures to gain access to a system or network. Using SQL injection, cyber-attackers can bypass login authentication completely, and gain unfettered access to your website's administrative privileges. Moreover, if the cyber-attacker knows a valid username - learned through information gathering or by simply guessing, it is possible to login without a password.
Mitigating The Growing Threats
As an indication of the growing threat, the Sucuri research team tracked a massive ongoing campaign throughout 2019 that leveraged more than 50 vulnerable plugins, themes, and other extensible components. These vulnerabilities would redirect website visitors to a nefarious destination; such as fake Tech Support or push notification scams.
To mitigate the risk of automated scripts locating and infecting a website by exploiting known vulnerabilities, it is imperative that website owners keep all website software up to date with the most current security updates. Although this may seem easy enough to do, Sucuri research suggests that this simple security strategy is widely being ignored. According to the cyber-security leader, in 2019 nearly 60% of all Content Management Systems’ (CMS) breaches it investigated had applications that were out of date at the point of infection.
As a security-conscious website owner, you must not become lax or passive in your approach to patching and maintaining core CMS files and extensible components. If you believe this ongoing commitment presents a challenge for you, consider QuickSilk's super-secure content management system.
Signup today for a FREE 14-day trial and see just how easy a secure CMS can be to use.