Maritime Trades Department

Cyber Security Response: WordPress Website Malware Infection with Compromised Hosting

Situation:

1. As WordPress websites age, often their original themes are either not kept up to date or are abandoned by the original developer.
2. Failing to maintain both the website’s frontend, backend and database leaves the door open to hacking via automated bots and manual intrusion.
3. Website Hosting: You get what you pay for! Budget hosting providers often neglect best practices for security and do not enforce minimum standards for their server environments, leaving you open to attacks on other customers’ websites. Website hosting without active management leaves the door open to vulnerabilities being exploited – server environment updates are not enforced, and outdated / depreciated plugins are not updated or removed as needed. The level of maintenance needed is often unknown or underestimated by non-technical staff responsible for procurement.

Remediation Steps:

1. Secure and patch legacy website; Deactivated and removed unused/unneeded plugins and those with known vulnerabilities
2. Cleaned up hosting directory structure by removing redundant WordPress core files and installing directories
3. Implement Cloudflare Security Firewall and WordPress EDGE Security Suite
4. Analyze and Repair WordPress Database; Updated PHP from 5.5 to version 7.4 as versions 5.5, 5.6, 7.0, 7.2, and 7.3 are deprecated

Future-proofing Actions:

1. Redesign and rebuild the website on a modern page builder (Elementor)
2. Migrate to secure hosting via WP Engine
3. Implement WordPress EDGE Security Suite and CloudFlare to limit full administrator access and block known bad actors
4. Client Education and Training

Results:

1. Website Visits: Prior to this, Google Analytics was not implemented. Since launching the redesigned website, search engine traffic and form conversions are measurable.
2. Website Ease of Use: The website interface is now much more user friendly, making common day-to-day updates more efficient.

Notable Quirks:

• The hosting provider did not force PHP Updates – As a result, the attacker likely exploited a PHP vulnerability (version 5.5)!
• Backup files compromised- This is why Gray Street uses multiple redundant online and offline backups for WordPress website recovery.
• Outdated and Compromised Theme: Website directory files installed multiple times
• Fake WordPress Administrator Account had been created: “wpadminas”

Challenges Faced

Urgency and Downtime: MTD’s website is vital for disseminating information and resources to its stakeholders. The security breach made it impossible to continue updating the website, and the presence of malware led to search engines and corporate intranet firewalls preventing access, effectively blocking their ability to communicate with their audience.

Security Concerns: The WordPress hack resulted in malware infection, making the website vulnerable to further attacks and compromising the security of sensitive data such as supporter names and contact information.

Loss of Credibility: As the website was defaced and infected with malware, MTD risked losing credibility with its stakeholders.

Complexity of Hack: At their prior vendor’s suggestion, the client used an inadequate low-budget hosting reseller, “deluxe hosting,” which lacks basic security measures to prevent unauthorized access to the hosting account administration or to the server itself. An abandoned WordPress website theme and lack of proactive cyber defenses made this site a virtual ticking time bomb.

Solutions Implemented:

Immediate Containment: While it is sometimes necessary to take a compromised website offline, we were able to contain the malware and safeguard data with minimal downtime.

Diagnosis and Cleanup: GSS conducted a comprehensive scan to identify the source of the breach and the extent of malware infection. Upon identification, Gray Street cleaned up the infected files, removed malicious code, and restored the website’s content from a recent backup.

Security Enhancement: Gray Street Solutions upgraded WordPress to the latest version, updated all plugins and themes, and implemented our “WordPress EDGE Security Suite,” which includes maritime industry-specific firewall and brute force attack protections, as well as simplifying and securing the WordPress administrative interface.

Search Engine Reputation: To restore MTD’s credibility in search engines, we submitted requests to remove security warnings and reinstate the website’s original standing.

Monitoring and Reporting: GSS implemented continuous monitoring to detect any future attempts of unauthorized access or malware, and provided MTD with comprehensive reports about the breach and the steps taken to rectify the situation.

Outcomes:

Quick Recovery: MTD’s website was successfully restored in less than 72 hours with minimal damage to content and functionality.

Enhanced Security: The updated security measures provided by Gray Street Solutions’ WordPress EDGE Security Suite significantly strengthened the website’s resilience to future attacks.

Stakeholder Confidence Restored: By openly communicating the issue and how it was resolved, MTD was able to rebuild trust with its stakeholders.

Conclusion:

Gray Street Solutions’ rapid response and comprehensive approach to MTD’s website breach proved crucial in mitigating damages and restoring functionality and security. This case demonstrates the importance of timely, skilled intervention in the face of cyber-attacks, and the critical role that digital agencies play in protecting their clients’ online presence. Through the successful collaboration between Gray Street Solutions and MTD, a potential disaster was averted, with lessons learned for future vigilance and resilience.

Original Website