How to stop malware attacks on PHP-based CMSs like WordPress, Drupal and Magento

Contract Research Organization

Malware is taking advantage of an easy path to your machines. By tampering the standard Content Management System (CMS) templates used for web application development, an age-old technique called phishing is still actively used to gain entry and compromise applications built with WordPress, Drupal, Magento and other open-source platforms.

Millions of systems have been compromised to date.

The web is full of such attack vectors and this trend shows no signs of abating in the near future as patched problems are replaced by newer and more ingenious attack routes. While there is no silver bullet or cure-all panacea, the potential to fall victim to such malware attacks can be minimised.

A few months ago I learned a very interesting and new method to inject malware into Joomla templates. I’ve since discovered that this attack vector is not limited to just Joomla templates, but such attacks can happen using many other standard CMS templates as well. This technique allows the attacker to gain access to the compromised servers and install malicious files that can then spread and wreak further havoc throughout the application.

Cyber attackers who use this method make use of simple PHP code injected into the CMS Templates. This code then allows them to call files remotely to help the malware spread to the compromised server. The vulnerability is such that the cybercriminal will have the ability to take full control over victim machines.

I have tried this attack vector on test systems that we have spun up in-house and I can confirm that this works!

A malware infection through this method can be avoided if all stakeholders play their part.

The fix for developers

Developers often don’t realise that they are at the forefront of the pushback against hackers. By employing secure coding practices alongside a regular process to find and fix vulnerabilities, developers can ensure that they play their part in keeping the application and its users safe.

Accordingly developers should:

  1. Minimize changes to the CMS’s core building blocks.
  2. Use checksum hash to validate the version.
  3. Only download free code and modules from trusted sources and ideally those packages should have an active community that regularly updates those packages.
  4. Check downloaded or externally-sourced code for application security vulnerabilities or backdoors using the best vulnerability scanning tool.

The fix for system administrators

System admins are usually held responsible when cybersecurity breaches happen. They also have a lot of responsibility to ensure that the appropriate security measures are in place and compliance with those measures is strong.

  1. Use Agile methodology for development & maintenance so issues can be identified and resolved quickly.
  2. Conduct thorough automated regression testing to ensure business rules are appropriately applied throughout the application.
  3. White list allowed IP ranges to access the server and application backend
  4. Regularly run malware checks.
  5. Plan and stick to a disciplined and structured data backup regime to recover from an attack.
  6. Conduct regular penetration tests before all major releases and fix all high and medium risk vulnerabilities quickly.

Using smart vulnerability scanning tools as part of your regular software engineering processes is that “proven way”. It can be as rewarding as fixing your wonky teeth and overcrowded smile by getting treatment from an Invisalign dentist Melbourne.

General guidance for users who create or edit content using a CMS

Users who have access to the backend of CMS, ie. where content is created, managed and uploaded, should never click or open suspicious links in emails. They should also report such links to their teams when found.

Phishing attacks through email is the most common method used by hackers to steal username and passwords that they can then use to attack a CMS.

Other common-sense safeguards to implement include:

  • Ensuring that they only access the application backend on trusted networks.
  • Installing and maintaining updated versions of reputable anti-virus and anti-malware applications on their computers.
  • Never sharing their username and passwords with anyone.
  • Use passphrases instead of passwords. A passphrase consists of 4 random words and each passphrase should also include uppercase and lowercase characters as well as numbers and symbols where possible.

Open source CMSs and platforms like WordPress, Joomla, Drupal and Magento are incredibly complex, flexible and powerful applications. However, their most sought-after advantage, namely their flexibility, can also become their Achilles Heel.

If you need help in finding cybersecurity vulnerabilities in your web application or with effective and constant security monitoring of your CMS, speak to us to understand how our application security testing services will be able to help you.


Author Bio

Yaman is a cybersecurity marketing intern at Audacix. World-class SaaS and digital software teams use Audacix’s and penetration testing services to avoid “oh s**t Monday’s”!

If you want to ship your SaaS with zero security holes and fewer bugs, talk to the Audacix team now.