它是由Malwarebytes报道的CyberheistNews和other sources that a unexpectedly large wave of hacking has been hitting thousands of WordPress sites (described as the “Weird WordPress Hack” just to fit in with the Buzzfeed style of headlines). The attacks are described as:
“WordPress网站注入了巨大的流氓代码,对出现托管广告的域来说,对域的沉默重定向进行了沉默的重定向,”Malwarebytes高级安全研究员JérômeSegura在周三发布的博客文章中写道。“这是一个分心(和欺诈),因为广告填充了更多的代码,将参观者发送到核利用套件。”
TheNuclear Exploit Kit,这是一个非常复杂的mechanism for analyzing and interacting with browsers and delivering malware, is used to spreadCryptowall ransomwarewhich, as website owner, is something you don’t want to be handing out or, as a user of an infected website, you don’t want to contract.
此时,我需要包含处理勒索软件的强制性规则:
- Make sure you have backups
- Make sure that your backups can be restored
- Do not deal with ransomers or pay a ransom
- Report the ransom attempt to the FBI’sInternet Crime Complaint Center(IC3)
- Find out how you got infected then plug the hole
- Update your network security plan
I must note that last year an FBI spokesperson did,in fact说,以下关于Cryptowall:
The ransomware is that good... To be honest, we often advise people just to pay the ransom.
这是从实际观点来看的可怕建议(即使您支付的道德),也可能无法获得您的数据)和伦理(支付Ramsoms鼓励更多的人质)。不,没有借口无法从备份中恢复文件并忽略赎金需求。但我拔下来......
维基百科
如今,WordPress已经变得非常容易被黑客攻击,因为它是开源,因此真的很好地,运行了所有网站的30%,并且给出了众多第三方添加(主题,插件等),确保任何给定安装是黑客证明非常困难。“啊!”你可能会嘀咕,“尽可能保持WordPress和你的插件是答案?”好吧,我的朋友,你可能想这么想,但似乎这个最新的黑客狼獾浪潮可能涉及一个或多个零天漏洞。WordPress生态系统的规模和复杂性使得一个叫做大的东西攻击表面。
I run a number of WordPress-powered websites and on one of them I recently enabled the notification by email feature of a plugin called404 to 301。This pluginredirects 404 errors generated by requests for non-existent content by changing them to301, 302, 307 server-side redirects。我没有打扰过电子邮件通知,因为当我尝试了一个月几年前,插件没有产生任何警报。但是,当我最近启用通知时,我惊讶地看到黑客可能会寻找的各种内容的请求的波浪/404.php,/wp-content/themes/fonts/fontawesome-webfont.svg?v=4.1.0,和/wp-includes/SimplePie/Net/IPv7.php。这些都可能是潜在的漏洞,请求主要来自德国,荷兰和俄罗斯,而是This particular site is defended by WordFence (我差几年前写的) and, so far, so good; we’ve remained uncompromised.
By the way, if you’re looking for a backup solution your WordPress site consider the上升插件which can use a whole range of storage destinations including S3, Dropbox, Google Drive, Rackspace, FTP, SFTP, WebDav, and email and backup either either manually or automatically. It can also duplicate and migrate sites, and twice since having installed UpDraft, it has saved my bacon. And for added security you might consider installingPlugin Vulnerabilitieswhich checks your installed plugins against a list of plugins with known security issues and warns you when new issues appear.
But given the risks of getting hacked, which range from site defacement, through the theft of sensitive data, to becoming a source of malware to your visitors, you have to ask yourself if you still afford the time and effort to effectively secure your site and, even more importantly, if sensitive data could be exposed, can you afford the risk of remediation and possible litigation? Note thatcyber-insurance, which sounds like a good hedge against disaster, may not work unless you can prove that you have exercised “due care,” something that may be tricky given the issues involved.
维基百科
那么,替代方案是什么?答案可能是一个“平坦的网站”;即,一个没有充满数据库的站点,也是一堆静态的HTML,CSS和客户端JavaScript,可以锁定并轻松检查未经授权的修改。您仍然需要服务器端服务,例如表单提交,但使用第三方服务如JotForm要么formstack.removes most of the vulnerabilities of running your own backend services。
For WordPress sites you can create a local or otherwise secured version of your site (i.e. not publicly accessible) and then save it as static HTML files and upload those to your public site. This may or may not work depending on all sorts of factors but definitely worth trying for sites without dynamic content that depends on backend services at runtime (seeCreating a static copy of a dynamic websitewhich discusses the gotchas involved); it will also make your site much faster!
There are also plugins for automatically creating static content from WordPress installations such asReally Static和Simply Static这可能是有用的(我必须注意我没有尝试过,所以如果你对什么有效和没有什么,请告诉我)。
I’ve also been looking at a few interesting alternatives that skip the whole WordPress aspect and generate flat content from templates. If you haven’t taken a look atJekyll和Cactus(后者仅适用于OS X),您正在启动新的Web项目,这些方法绝对值得考虑。有关更多工具选项,请退房staticgen.是一个良好的静态站点发电机列表。
Thoughts? Suggestions? Send me通过电子邮件反馈或者在下面的评论然后关注我推特和Facebook.。