Over the past few days a series of warnings have been issued regarding the security vulnerabilities of WordPress websites, namely one very important one by the FBI.

Releasing an alert on Tuesday, the bureau indicated that a high number of WordPress sites are vulnerable to attacks “being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL).”

Continuing, the release said that:

“The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites.

“Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.”

According to the report, only websites running on the WordPress CMS are vulnerable to exploits, although it stated that the attacks are “relatively unsophisticated” and are largely preventable or resolvable in the event of defacement.

The FBI recommends the following free utilities to identify specific vulnerabilities for any WordPress site:

• Security Focus
• CVE
• US-SERT

It also recommends updating WordPress systems by patching vulnerable plugins.

According to Sucuri, there are two primary plugins that are being exploited by ISIL and other attackers:

• Outdated RevSlider
• Outdated GravityForms

Continuing:

“The vulnerabilities being exploited appear to be from older versions of the plugins that have yet to be patched. We are not aware of any new vulnerabilities in either of the plugins.

“Specially Revslider, which is the #1 by far compared to the others. After these first two, we are seeing many attack against FancyBox, Wp Symposium, Mailpoet and other popular plugins that had vulnerabilities disclosed recently.”

That said, the FBI neglects to mention the fact that misused themes may also be vulnerable to attack, alongside brute force tactics against admin panels.

Sucuri also suggests using its own Website Firewall.

Anything else?

Unfortunately, April 7 wasn’t a good day for WordPress, as it was also reported that as many as one million websites could be in danger thanks to a “critical” vulnerability recently discovered in the WP Super Cache.

In a blog post, again by Sucuri, researcher, Marc-Alexandre Montpas, wrote that:

“Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

“When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.”

So what are the best security tips?

1. Keep things updated. Running the latest software will always be the most obvious security measure that you can take, especially when you consider that 86 per cent of all WordPress installations are running outdated versions.
2. As stated in the above, be sure to upgrade to the latest versions of themes and plugins.
3. Be selective about that you use and what you install. Try to avoid the installation of unnecessary plugins.
4. Remove any inactive users from your sites and restrict access to the wp-admin directory.
5. Disable file editing and enable HTTPS for all logins and wp-admin. Restricting direct access to plugin and theme PHP files would also improve security.