This week Word-Fence, the leading Web Application Firewall (WAF) for WordPress sites, announced “Millions of WordPress sites hit in wide-ranging attack”
(Barclay Ballard, techradar.com/).
These attacks are targeting a security flaw in the Epslion-Framework used by many WordPress themes. This vulnerability allows hackers to execute a function injection attack on your site.
Function injection attacks allow malicious functions to be executed on your server by submitting them in the query string of a GET request. This can be devastating to any website as this could lead to a total takeover of your server.
While it is nice that Word-Fence scans for these vulnerabilities and alerts us to them, this is usually a reactive response to symptoms on your site. Perhaps you noticed content that should not have been on your site? Or, network calls to a domain you don’t know?
How can one be proactive about these sorts of attacks instead of waiting for them to happen?
The answer is to have multiple security layers on your site. This means not relying on any one layer to keep your site and your data protected. Typically, there are at least three layers of protection for your data.
The first is a firewall to monitor incoming traffic to your site. A Web Application Firewall (WAF) like Word-Fence that sits outside of your application is best for this layer. The second layer should monitor all the tags and content on your site and watch for any unwanted changes and block them before they occur. This is typically handled by special response headers on your site like Content Security Policies (CSP). This layer can be cumbersome to set up as you will have to inventory all the tags and content on your site so that no useful content gets blocked by your security policy. The third layer is typically at the code level where you handle sanitization of any outside input. This would be handled by the developer of your website and can be scanned periodically by full featured scanning software. A list of such software can be found on the OWASP (Open Web Application Security Project) website here: https://owasp.org/www-community/Vulnerability_Scanning_Tools.
Why do WordPress websites seem to be targets for these types of attacks?
Most WordPress sites are owned by non-technical people who depend on engineers to make user friendly software to handle the ins and outs of their site. They do not have the technical knowhow to know the need for a Web Application Firewall (WAF), Content Security Policy (CSP), or code scanner. Much less to know how to set them up. That is where plugins like Word-Fence, and Blue Triangle’s SeaSP Content Security Policy Manger come into play.
Word-Fence allows users to easily set up a basic WAF to protect their site from incoming malicious traffic and does periodic scans of their code. Blue Triangle’s SeaSP plugin automates the cumbersome task of inventorying your sites tags and content helping you generate a domain level CSP that protects your site from Cross Site Scripting (XSS) and data injection attacks like the one that Word-Fence reported this week.
What can I do to protect my site today?
The easiest thing to implement on your site today is a domain level Content Security Policy by Blue Triangle by using their SeaSP plugin which can be found on WordPress.org here: https://wordpress.org/plugins/sea-sp-community-edition/
