Know Your Code

Overview

Regardless of how your site is constructed, there will always be an operating system behind it. Whether that is Linux or Windows, it still needs to be updated just like your personal computer. If you are running a private server (VPS) or using an Infrastructure-as-a-Service (IaaS) provider, you are responsible for keeping the entire system, and everything on it, up to date.

On the other hand, if you’re using a managed hosting provider, they will handle the updating of things like the operating system, the webserver software (like Apache), and the programming languages. But, as the site owner, you are still responsible for updating the software that your site is made of. This includes the core software, such as WordPress or Joomla, as well as any plugins, themes or libraries that you’ve used to customize your site.

For basic CMS sites (like a WordPress blog), you can use built-in admin functions to identify any out-of-date components and upgrade them. For premium components, you need to check with the retailer or developer to see if there are updates and then apply them if you are not able to update them from within the CMS.

For sites built from frameworks like Django, Laravel, or Node.js, you need to carefully examine all the components that are being used to make sure they are at the latest versions. Additionally, this needs to be performed again for each component to ensure that any of the libraries and components that they require are updated.

For example, if Plugin A requires Plugin B, you need to make sure that both plugins are updated properly. Similarly, if Node.js library A also requires library B, you need to make sure that both libraries are updated. This can get complicated if you use a lot of interdependent libraries or plugins.

Down The Rabbit Hole

At this point, you might be wondering why this is necessary and where it ends.

The simple answer to the first part is that, just like your personal computer or phone, attackers want to use your site for their own purposes. This can include any number of the following activities:

• Processing phishing data – They can set up your site as a phishing site or simply as a location to store data from a phishing site.
• Deploying malware to personal computers – They can use your site to deliver malicious downloads or attack the browsers of visitors
• Cryptocurrency mining – They can set up your site to mine for cryptocurrency, either on your site or through the browsers of visitors
• Stealing your visitors’ data – They can also set up scripts that copy the information that your site collects and then use it to further their own ends.
• Perform attacks against other sites – They can use your site as a jumping off point to attack other sites
• And many other things

Attackers compromise sites by using vulnerabilities in the software used, whether that is in a WordPress plugin or a JavaScript library; or they perform what is known as a “supply chain attack” to abuse the process by which people find plugins and libraries. This could be as simple as finding old plugins and libraries that haven’t been updated in a while and publish their own “update”, hacking into the account of the developer and adding their malicious code to a common library, contributing a code change to a project with ‘invisible’ characters that change how the code works, or publishing new components that use names which imply they are safe, an attack known as “brandjacking”.

As for the second part, “where does it end,” the short answer is that it doesn’t. Much like your personal computer, updating your site never ends because there are always vulnerabilities to patch, new features to add, and old functionality to remove.

However, there are ways that you can make it easier on yourself.

What You Can Do

There are some simple steps that you can take to make securing your site much easier.

First and foremost, remove all components that you no longer use. If you installed a plugin or library “just to try it” and then decided to not use it, MAKE SURE TO REMOVE IT. If it is installed, it can possibly be used to attack your site or others. By removing the unused component, you are removing any chance of that component being abused on your site.

Secondly, enable auto-update features, if available. This will ensure that any updates are applied as soon as they are available.

Third, only use legitimate sources for your components. If you see a premium plugin or theme that you absolutely need to have for your site, don’t go out to find a “free version” of it from someone else. These “nulled” components (called “nulled” because their licensing code has been removed) have been modified from their original code. The groups that perform this “service” are not doing this for free either. Many times, they add in their own code to the components and this additional code is often malicious. So, the next time you see a theme that costs money and think “I’ll just find a free version,” remember that the “free version” might just compromise your site.

Lastly, regularly review your site. Any time you look to update your site with new features and functionalities, also look at what unused features you can remove.

If you use a CMS, we have a few specific pointers here specifically at WordPress, it applicable to all content management systems.

Summary

The new year is a perfect reason to review your site and take out anything that isn’t being used, whether a plugin, theme, library, or user account. However, much like your car, it helps to check it regularly to make it everything is working properly. Be proactive and keep your site up to date and secure. Let SiteLock be your resource for protecting your site from these and other vulnerabilities with our website security solutions. Contact us now to learn more about how we can help keep your site safe and secure today.

About The Author

Maarten Broekman has worked as a system administrator and systems engineer for over 25 years, primarily in the shared web-hosting space. One of the main concerns for web-hosting providers is being able to serve their customers’ websites as quickly and efficiently as possible. As a result, anything that detracts from performance needed to be examined closely and this is where his interest in malware and code analysis sprang from. For over a decade, finding, decoding, and removing malware (and automating that process) has been his primary focus.