The recent news that the Reuters News Agency's blog has been compromised for the third time in a month has got me wondering exactly what process the administrators went through after the first attack.
Seek Professional Advice
Their first step, once the compromise became obvious (and the posting of fake news stories on one of the world's leading news agency's blogs is fairly obvious), should have been to seek the advice and services of an outside security professional whose sole job would have been to determine how the compromise occurred and what data may have been copied.
While this investigation was taking place, the affected site should have been taken offline to prevent the attackers from gaining further access.
Restore from Backups
Once you've determined what parts of the system the attackers have managed to get access to, and (hopefully) how long they've had access, it's time to do the one thing all system administrators dread: restore the entire server from a known good backup.
Restoring from a backup before the compromise took place accomplishes 2 things:
Firstly, it ensures that any accounts the attackers created no longer exist, and that any modifications they may have made to the system have been reversed.
Secondly, it gives you a chance to do what should have happened in the first place, and install any security updates to a system that you know is clean.
It may mean that you need to re-create some content that was published after the backup you restored from was taken, but that is a small price to pay to restore your website to fully working order.
Updates, Updates and More Updates
The title of this post is all about updates, and for good reason, they are the most important thing you must do to your website, ranking above posting new content.
The reason for this is that the people who make the software you use, be it WordPress, Joomla, Drupal, or some other CMS, make mistakes, they unintentionally provide avenues for attackers to gain access to your website through small, and often undetected errors in the code that they write, and in the case of WordPress, there are over 160,000 lines of code.
Even with a community of several thousand developers working to ensure that any mistakes are minimal, and the serious ones are corrected before a release is made, some still slip through the cracks and make it onto your server.
This is exactly what happened in the case of the Reuters compromise, but to make things worse, WordPress had already issued updates to correct the issues, they just hadn't been installed yet!
WordPress even tells you when new updates have been released, and I can't imagine that someone in the Reuters IT department wasn't logging into the WordPress Admin system at least weekly, so they should have noticed the huge "A New Version of WordPress is Available" notice across the top of the Dashboard. Yet, for some reason, they didn't install it, and were still running version 3.1.1, far behind the current release, 3.4.1.
In an interview with the Wall Street Journal, Mark Jaquith, WordPress Core Development Team Member and also a member of the WordPress Security Team, stated
“If organizations ignore those notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches,”
He also highlighted that, WordPress 3.1.1 had "several publicly known security vulnerabilities" that had since been fixed in newer versions.
Updating is a Pain
I know what you're thinking right now, updating my server is a pain, and I don't have the time to do it. This may be true, and if that is the case, consider either paying your hosting company to do the updates for you, or hire someone to manage your servers, and ensure that the updates are installed.
I cannot stress enough how important it is that you keep your platforms updated, it may mean you have to check that the updates won't break the theme you're using, or that your plugins still work with it, but in the long run, it's well worth the extra effort to prevent your site being used to spread, at best, misinformation, and at worst, malware that will have a severe impact on your search engine rankings.
If you want to stay up-to-date with the latest update news for several of the most popular Content Management systems, use the subscribe box at the top of this page to sign up to our Security Newsletter, and we'll send you an e-mail with tips on how to protect yourself and your business, and also notify you when the popular content management systems release updates.