How ransomware targets WordPress sites

We know ransomware is out there but stray from best practices in keeping our sites secure. Here are five tips to ensure security is at the forefront every day.

Chat with MarTechBot

What would you do if you found yourself locked out of your own business website by criminals? That’s exactly what happens to approximately one business every 40 seconds. Not all of these ransomware attempts are successful, but those that are cost the average company about $133,000. 

Can your company or client afford that kind of loss? Most can’t.

Fortunately, ransomware attacks are down slightly, but that doesn’t mean that your WordPress website is out of danger from electronic kidnapping attempts. 

What is ransomware?

Ransomware is a form of malware that usually enters a computer system through malicious code inserted into an email or video content as an attachment. Once the attachment is opened, the code locks the computer files, keeping the rightful owner and other authorized users out. This is usually followed by a demand for money to remove the virus or receive a key to regain entry. It’s done under threat of erasing entire databases or releasing the stolen information publicly.

Email has traditionally been a malware coder’s focus when it comes to ransomware but a growing threat vector is video, especially those shared via social media. Video is massively popular, with more than 4x as many people expressing a desire to watch a video than read about a product. With most media players poorly protected and users not on high alert against this method of ransomware introduction, we have a problem looming.

These kinds of attacks already cost businesses an estimated $75 billion each year, not to mention the nearly irreversible effects of damaged reputations and diminished consumer confidence. Most businesses don’t even report such attacks out of fear, and almost none of the culprits are ever caught.

Is your website at risk?

Although WordPress is the most-used blogging and ecommerce platform around, it isn’t just a numbers game when it comes to targeting WP websites. However, the popularity of the platform makes it an attractive target. The attacks are most often coming from phishing attempts and other online scams.

Total Donations: There are two cyber threats in particular that plague WP admins and their subscribers these days. One is a zero-day attack on a vulnerable plugin called Total Donations that’s used by WordPress websites for fundraising. This bit of malicious code allows remote, unauthorized users to get into WP websites with the plugin installed and change settings, reroute donations to the hacker’s account, and retrieve MailChimp email lists.

It has since been pulled by the developer, but many websites may still have it installed or sitting in directories where it remains an active threat.

EV Ransomware: The other rising threat, though one of possibly millions, is a virus called EV Ransomware. This virus enters through direct upload to the targeted website, and it can even communicate with the cyber criminal. Once it’s uploaded, it locks administrators out and leaves a ransom demand in the form of this digital note:

The worst part is that direct uploading makes it impossible to protect a website through encryption. 

This is a particularly horrendous ransomware virus, but it isn’t typical of how they infiltrate websites. According to a recent report from Symantec, more than 71% of viruses sneak in through email attachments. Many of these tainted emails seem legitimate on first look because the malicious coding isn’t released until the attachment is opened.

Since email is an integral part of small business marketing, especially for correspondence and subscriber-based WP websites, your best defense is a vigorous offense. 

5 steps for securing your WordPress website against ransomware

Too many website owners are aware of threats, but don’t take them seriously enough or don’t consider themselves a likely target of hackers. Waiting until after an attack is too late, even if you have a mitigation plan in place. With ransomware, the time to act is before you are hit.

1. Download only from official platforms

The open source nature of WP doesn’t make it a bad platform, but it does make it easier for criminals to insert malicious coding through the thousands of third-party apps. If you’re going to install new plugins, make sure that you download them from a reputable source – such as the WordPress Plugin Directory – which checks their software and apps for vulnerabilities before release, and shares user reviews about the software.

2. Check your sources

You should never open an email or attachment that seems suspicious. Go with your gut. However, those who are in business often receive unsolicited emails from strangers, and some are forwarded by people we know.

At least 20% of suspected domains are less than a week old. You can check out any website by dropping the URL into the search box of Whois. That will tell you the real name and location of the website owner, list how long their domain has been active and any other domains owned by that person.

3. Make updates and backups part of everyday maintenance

These are two maintenance chores that should be second-nature by now, but too many website owners become lax after a while. Fortunately, reputable vendors and app developers do keep on top of things by releasing security patches and updates as soon as a problem is brought to their attention, which protect individuals and businesses from newly-discovered vulnerabilities.

If you can’t change your settings to automatically update your plugins and software version, make sure you check for updates and install them as soon as they become available. Regular backups that are stored separately may save your bacon if someone does hijack your files.

4. Use secure email from trusted providers

Free email accounts are available almost anywhere. Companies like Gmail and Microsoft give them out to bring users into their ecosystem, offering everything from hosting platforms to domain registries as upsells.

And while Gmail does have great security, it’s not truly anonymous nor secure. For truly secure email services, research third-party options which use AES, RSA, or OpenPGP protocols, such as ProtonMail or Mailfence. For them, email is not an afterthought or addon. It’s their only business and should be at least considered as part of an overall security strategy to avoid malware like ransomware.

While it’s true that a dedicated email service might contribute to your growing case of subscription-itis (a pocketbook condition caused by too many subscriptions), the cost is less than ten bucks a month, and if it keeps you from getting ransomware spam, consider it money well spent.

5. Mandate that clients use a virtual private network (VPN)

VPN software originally rose to prominence based on its ability to bypass geo-restrictions imposed by streaming services like Netflix and Hulu. But along the way people realized that it’s also an excellent security tool.

While there are good reasons related to privacy and security to always use a VPN when you go online, here are a handful of features that service providers offer in regard to our present WordPress focus:

  • End-to-end encryption
  • DNS leak protection
  • SSL authentication
  • Secure email addresses
  • Regular updates and backups

Final thoughts

There have been approximately 212 ransomware variants identified since 2015. That doesn’t sound like much, but it translates to millions of individual viruses released each and every day. Don’t wait until you’re locked out of your WordPress website to do something about the ransomware threat. Begin today to create a plan of action to prevent attacks on your website and livelihood. 


Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.


About the author

Sam Bocetta
Contributor
Sam Bocetta is a former security analyst for the DoD, having spent 30-plus years bolstering cyber defenses for the Navy. He is now semi-retired and educates the public about security and privacy technology. Much of his work involved penetration testing Navy ballistic systems. He analyzed networks looking for entry points, then created security-vulnerability assessments based on findings. He also helped plan, manage and execute sophisticated "ethical" hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems.

Get the must-read newsletter for marketers.