Last month a vulnerability was discovered in the Fancybox for WordPress plugin, making it possible for a hacker to inject an iframe into the website without needing administrator access. Although the issue was promptly patched, a string of seemingly random WordPress websites were recently compromised using this vulnerability.
Hackers claiming to be acting on behalf of ISIS exploited Fancybox to deface the websites with propaganda for the terrorist group. Credit Union Journal reports that a Montana credit union website was attacked using the Fancybox plugin as the entry point.
Area43.net examined the cached Google source code for several other hacked sites and reported that both Eldoraspeedway.com and Montgomeryinn.com have since removed the Fancybox for WordPress plugin.
In order to deface the websites, the suspected ISIS hackers likely scanned for sites that have not updated the Fancybox for WordPress plugin, as the sites bear no other commonalities apart from using WordPress. Many major news outlets with no understanding of WordPress’ plugin system have wrongly attributed the security flaw to WordPress itself.
Fancybox for WordPress is currently active on more than 100,000 sites, but stats on WordPress.org do not break down how many of those are using a version older than the patched update issued in February. According to Samuel “Otto” Wood, WordPress.org pushed out a forced update for the Fancybox plugin vulnerability, although it wasn’t widely reported.
What is it going to take for WordPress site administrators to keep their plugins updated? If you’re not comfortable updating WordPress plugins yourself, then you need to be on a maintenance plan with a development company to keep your software updated and secure.
While many developers are not too keen on the possibility of WordPress someday adopting automatic updates for core, plugins, and themes by default, your average website owner would probably prefer it over would-be ISIS hackers exploiting the simplest of vulnerabilities to deface their websites.
Can I talk about WordPress consultants for a moment?
At a marketing meetup in my area, there’s a rash of folks that sell WordPress website creation as a service. Folks that tell me, they “slap some themes together from TF and plugins.” So, when I say rash, I mean I literally break out in one when I hear how they operate their business.
For example, this defacing happened to a consultant I was talking to. She told me that the client refused to pay for the $18 upgrade to keep the patches coming. The result was the defacing. Of course a business owner is going to say no to a cost they don’t understand. It’s not their fault, it’s the consultant’s fault.
If you’re consulting with a client on a monthly retainer and you are responsible for their core website technology AND you’re not working these license upgrade fees into your monthly nut — you are doing it wrong.
If you tell me your monthly retainer can’t take the impact of premium plugin renewals that you installed and continue to use for your client — you are doing it wrong.
If you cannot position the cost of annual software fees properly to a business owner — you’re probably positioning WordPress wrong and really doing it wrong.