News

Clubs with Wordpress sites need to upgrade or be hacked... intense

In short: upgrade your Wordpress plz. kthnxbai.

Imperial clubs with old Wordpress sites are vulnerable toattack from hackers.

A number of the Clubs and Societies at Imperial College Union have been running outdated versions of Wordpress, which leaves them open to attack. The problem is easily fixed by simply keeping installations up to date when asked to update (those annoying “UPDATE NOW OR ELSE” boxes). The actual number of clubs that have been attacked seems to be small. The Union Sys Admin, Philip Kent, said that they are “making sure everyone updates so it doesn’t happen again.” He added that all old Wordpress sites were not necessarily attacked. He added that Wordpress is not the “only expoitable pieve of software” saying that “other software has security holes too, but we are targeting Wordpress on the basis that it is widely used on club websites, and it has a poorer track record for being secure [than other software]”.

At the moment, it would appear that the content of the websites were altered but no sensitive information was compromised.

The problem will be minimised by immediately turning off a Wordpress that is found to be outdated. It is only re-instated when it has been declared clean and the club has upgraded the software. Since starting the weekly notifications a large number of clubs have already upgraded their installations and Kent says the Union are “well on our way to fully resolving this problem”.

Kent said that they have “switched every site (except those which use custom domains) over to use SSL for all access; which, while this will not stop these kinds of attacks, it will prevent some of the results of what is done to people’s websites. For example, on one website, the attackers modified the templates so that it displays what is called an iframe (embedding a website inside a website). Because we now run under SSL, unless the website inside the iframe is also running under SSL, web browsers will often complain or refuse to show the contents of the frame, which may prevent showing of undesirable content. The same is true if they try to load external images or JavaScript.”

They are also working on a way to make upgrading easier, but are yet to complete it. There is a guide on the SysAdmin website, which describes how to upgrade