Even basic library websites are not immune to the potential for website compromise, hacking, or simple failure of technology. We may not keep valuable personal information on a website, but the simple structure of a website and especially an unguarded, unmaintained one, is a fruitful target for those with bad intentions.
This tutorial will cover
- Understand why a library website might be targeted
- Understanding the motivations for bad actors
- Understand the potential for technology glitches in causing website errors
- Understanding the methods used by bad actors to gain access to a website
- Understanding the symptoms of a website attack (or technology fail)
- Steps for protecting your website – ongoing
- Steps for protecting your website – one time or periodic review
Why hack a library website?
Hackers aren’t targeting library websites – they are looking for low-hanging fruit wherever they can get it.
- WordPress has vulnerabilities because it is widely used and open source.
- Libraries built on WordPress may share common vulnerabilities – essentially collateral or opportunistic damage of a larger campaign.
Hackers don’t care that they (likely) won’t get anything of value – if it’s easy to compromise a site, they’ll just do it.
Motivations for compromising a website
Original source: https://www.wordfence.com/learn/how-to-protect-yourself-from-wordpress-security-issues
- Hijack a website to send spam
- Host malicious/undesirable content to avoid online filters
- Steal website data
- Redirect your legitimate traffic to a spam site (“spamvertize”)
- Turn around and hack other websites
- Any of these things can get your library’s website blocked by browser “safe browsing lists.”
Is it a hack or a glitch?
Bugs in WordPress code can sometimes have the same symptoms as a website hack, but the intent is not malicious.
Technology is complex and things break.
It is important to report significant glitches to websitehelp@librarieswin.org so LEANWI staff can determine if it’s a situation requiring rapid response, or wait for a code fix.
Methods of attack
Website plugins
- See https://training.librarieswin.org/website-101/plugins/ for a complete discussion.
- Keeping plugins up-to–date is key for preventing these attacks.
Phishing – compromised login credentials
- Phishing (tricking an individual to enter username/password into an illicit location) still accounts for 80-90% of cyberattacks
Old, outdated versions of WordPress/Themes
- Keeping your WP and Themes up-to–date prevents old vulnerabilities from being taken advantage of.
Denial of Service (DoS)
- When a hacker overloads the website with illegitimate requests so legitimate users can’t get in the door through the bad internet traffic.
Host server
- IFLS/NWLS/WVLS LEANWI websites are self-hosted on our own server, which while guarded, is not 100% immune from all compromise. WRLS are hosted with a reputable hosting provider, but also, not 100% guaranteed safe as nothing is 100% secure in this world.
Symptoms of an attack
Follow this link for a case scenario of a specific LEANWI website hack
- Symptoms
-
- My website is “acting strange”
- Pages not loading, website slow or unresponsive (note, this may also be due to server capacity issues)
- Unexpected things on pages (like links on the footer that you didn’t add) or missing content
- Popups for ads or spam when pages are loaded on my site
- Users are randomly redirected to other websites
- Search engine warnings – if somebody searches for and clicks on your site and they’re told “This site may harm your computer.”
- I can’t log in – even though I’m sure my password is correct
- There are new, unexpected users added to our website users list
- Missing or disabled plugins
- My website is “acting strange”
Protecting your website - ongoing actions
Choose strong passwords
- Don’t make your password easy to guess
Don’t get phished
- Not just e-mail – make sure the you’re actually signing into your library’s admin page – not a fake page make to look like your login page. Check the address bar when logging in.
Keep your library’s website admin users list up–to-date
- If library staff who have a login to your website leave, report this to websitehelp@librarieswin.org or remove their user account. If you share a login with multiple staff, change your password when a user leaves library employment.
Keep WordPress, your Themes, and Plugins up–to-date
- Review https://training.librarieswin.org/website-101/plugins/ for a detailed discussion.
Protecting your website - one time or periodic review
Turn off and leave commenting turned off
- 99.9% of comments left on library website posts are spam. Keep audience interaction to social media (if you use it).
Don’t allow a “guest poster”
- Libraries occasionally/regularly get emails from companies asking to post to library websites. Sometimes it’s requesting to add a link to a “resource” on a page, sometimes it’s a request for a guest account access. Send these requests to spam.
Remove plugins you don’t use and inactive themes
- Keep a Divi theme (Divi child theme if you have one) and one extra theme. Remove all other themes.
- Set plugins to “auto-update” and always run plugin/theme updates when prompted.
Don’t add code you’re not 100% confident in
- Always ask websitehelp@librarieswin.org before adding new code, widgets, features, or plugins from untested sources. If you don’t know if it’s a tested source, don’t add it.