WordPress & Joomla! in the bull’s eye
If you run your own website – but not Blogger and other free ones – chances are it is powered by one of the two most common Content Management Systems (CMS) on the planet: WordPress and Joomla!.
There are very active campaigns making the rounds right now targeting these two platforms. A botnet comprised of nearly 25,000 infected computers is attacking login pages by performing ‘brute-force attacks’.
The Fort Disco botnet tries tens of thousands username/password combinations until a match is found. Once logged in, the bad guys use your website to host phishing, spam or even malware.
At the same time, a critical security flaw has been discovered in Joomla! where an attacker could easily upload a backdoor by simply adding a ‘.’ at the end of the file name.
Just like Microsoft Windows for your computer, your website’s software needs to be updated on a regular basis to patch security vulnerabilities.
For WordPress users, login into your site and check the version number on the Dashboard:
Checking your WordPress version
The latest version is posted on wordpress.org and currently is 3.6.
For Joomla!, the version can be found either on the top right corner or by going into Administration>Site>System Information
Checking your Joomla! version
Because Joomla! has different development branches, things are a little more complicated when it comes to updates/upgrades. Version 1.5 X (which is no longer supported) still has a large user base but updating to the above 2.5 X or 3 X is not a walk in the park.
In fact, migrating your website to the newer version requires a lot of work that involves dumping the entire database and re-importing all the content, mostly by hand.
The majority of web hosting providers will not update your CMS for many reasons. It is time consuming (meaning it costs money) and it is risky (upgrading can break your site). After all, if you spend less than $10 a month for hosting, you can’t really expect your provider to do much at all.
Owning a website comes with responsibilities and unless you’re prepared to do all the work yourself, I recommend that you choose a managed service provider. You spend a little more money, but at least the site and all its components (CMS, and Linux/Apache/MySQL/PHP) will be taken care of, leaving you with the sole job of adding content to the site (the fun part).
If, however, you would like to learn more, you can read this article I wrote on the Malwarebytes blog about web malware and feel free to use this cheat sheet I compiled on my personal page; it helped me tremendously from doing updates and remediations on customers’ websites.
Jerome Segura (@jeromesegura) is Senior Security Researcher at Malwarebytes.