[Updates] Script Updates
Wednesday, August 13th, 2014 - Updates
We have seen a large increase in the number of accounts that have been hacked, defaced, and used for abusive purposes on our servers and 99% of these incidents are traced back to users using outdated scripts or outdated/insecure/poorly written plugins, addons, components, extensions, or themes. You may have recently received a message from us detailing some of the outdated scripts on your account. This post aims to provide more information about outdated scripts.
Joomla! has set the end of life for Joomla! 2.5 at December 31, 2014. If you are using an unsupported version of Joomla! I would encourage you to forego Joomla! 2.5 and opt for Joomla! 3.3 because of the longer life expectancy at this time. Users of Joomla! 2.5 need to be thinking about and making arrangements to upgrade to Joomla! 3.3 by the end of the year. The term “end-of-life” means that it is no longer supported. Any software that is “end-of-life” in which security holes are found, will not be patched.
First, if you received a message from us, it likely contained a segment (or multiple segments) that looked like:
Account: xxxxxxxx
Script: xxxxxxxx
Installed Path: xxxxxxxx
Installed Version: xxxxxxxx
Latest Version: xxxxxxxx
Script Website: xxxxxxxx
If you received an email fro us with the above information and they are for accounts that you may not have direct control of, then it is your responsibility to pass that information on to the persons that do have control of the accounts. For example, resellers may not have direct access to their resold accounts, but you need to pass this information on to your resold accounts. We do not contact your resold accounts directly. If the account gets exploited and it was never updated because you didn’t pass the information on, unfortunately that’s not a valid excuse. We contacted you to let you know of the outdated scripts. That is as much as we can do.
(Added August 16, 2014 10:30PM EDT)
There are some key parts to this segment:
Script: is going to tell you the name of the script that is being referred to here. Common examples include WordPress and Joomla!
Installed Path: This is important to recognize. This is going to tell you the path as it pertains to your web hosting account, of the stated outdated script. It is important to pay attention to this. For example, you may have a WordPress script installed in the DocumentRoot of your web hosting account (i.e. http://yourdomain.com) but you may have another WordPress script installed some where else on your web hosting account that maybe you forgot about, or maybe you no longer need. That will be detailed here. Don’t assume that this is referring to a script that you are aware of. If it is listed, then it is very likely outdated and needs to be addressed one way or another.
Installed Version: This tells you the version of the script that is installed on your web hosting account at the specified location.
Latest Version: This tells you the latest current version that is released for this script from their developers. This is the version, at minimum, that you need to upgrade to.
Script Website: This gives you a link to the website of the developers of that specific script. For example, WordPress will send you to http://www.wordpress.org and Joomla! will send you to http://www.joomla.org You can visit these websites for more information as it pertains to the correct upgrade procedures.
• How do I upgrade my script?
Typically upgrading a WordPress or Joomla! (any version greater than 2.5) should be fairly easy. They have mostly made it easy and it’s just a matter of a single click in the admin area of the script. If you installed the script using Softaculous, then you may be able to upgrade it from the Softaculous interface in your cPanel. The link to the specific script’s website can be useful in regards to finding specific instructions for upgrading the script. Some helpful links include:
• Why is it important to keep scripts up to date?
Developers keep a fluid development of their application. Hackers and malicious users are always on the prowl looking for ways to exploit some of the most popular web applications and scripts. When a security hole is found in a script, the developers of those scripts or web applications will typically rewrite that section of the code so as to close that security hole. This is why applications and scripts get updates, to fix those security holes.
You may be familiar with the Windows operating system and the number of patches Microsoft releases for it. Typically your operating system will download those patches and will either reboot your computer or ask you to reboot your computer to apply those patches. Those patches are there to protect your computer and system from known security threats.
Updates to scripts and web applications are no different, they are applying security patches to guard against new found threats. The difference between a web application or script and your desktop computer is that a web application or script is constantly on the web. Your website is always up, always available. Your desktop computer, you may turn it off at night or when you are not using it. A computer or system that is off or not connected to the Internet is much, much, much less likely to be exploited. But because your website is constantly web accessible, protecting it against security threats is of the utmost importance.
• What happens if I don’t upgrade my scripts?
Sadly, we have seen quite a few users who elect to go this route, either thinking that their website is working now why fix something that isn’t broken? Or being too afraid that the upgrade process will “break” their website. While there are merits to each of these arguments, I can also tell you that there are some disastrous consequences in following this line of thinking.
We deal with security issues on accounts every day. We deal with multiple accounts every day. Speaking from experience I can tell you that if you don’t keep your scripts/plugins/components/extension/themes all up to date, then you should expect to be hacked/defaced/compromised/exploited. There’s no real tactful or easy way to make that point. The reason new versions of scripts and web applications are released is to patch known security holes. If you choose not to upgrade, then you are allowing hackers and other malicious users to take advantage of those known security holes.
Once an account gets hacked and compromised the integrity of all of the files on that account fall into question. A lot of times, the only recourse is to completely wipe the account out and start over fresh with fresh files and fresh content, meaning that the account loses all of it’s previous content. I am sorry that this has to happen, but it is part of the consequences of not keeping a hosting account or script up to date.
• What can I do to protect my account?
Keeping your scripts up to date is the best thing to do.
Keeping your plugins/themes/components/addons/extensions/etc. all up to date is also very important.
It is also important to use reputable scripts and plugins/themes/components/addons/extensions/etc. There are a lot of plugins/components/extensions/themes that are just not well written or they quickly become abandoned meaning their developers never update the plugin any longer. This is why it is important to only use well-known and reputable extensions for your script. A plugin or theme may exist that does exactly what you want it to, but if it’s poorly written or insecure and leads to your website being hacked, compromised, and defaced, then it’s not much help to you.
Use strong passwords. There is a huge botnet that comes around every few months that attempts to brute force its way into popular scripts and web applications by guessing admin username and passwords. If you are using a weak password, then it will be easy for this botnet to brute force it’s way into your script.
Any additional security layers you can add to your script will benefit you. These would include extra login prompts, image captcha systems, two-factor login systems, etc. The more security you can put between your website and a potential hacker, the more likely you are to avoid simple hacks. Hackers typically have a defined method for hacking a website, if you have an extra layer of security that disrupts that defined method it cause most hacking attempts to move on to another website.
• I have already been hacked, what can I do?
Unfortunately, once you are hacked you can no longer trust the integrity of the files on your account. You do not know what all was tampered with, what backdoors may have been left behind, or what access points the hackers and malicious users may have left behind for themselves. Once you are hacked and compromised, the only real recourse is to completely wipe your account and start all over again. That is why it is so important that you be proactive in regards to the security of your website, taking measures to prevent a hack in the first place.
We have a seen a very large uptick in instances where accounts were hacked months or even years ago. Hackers may not have done anything to exploit the account at that time, instead the hack just lays dormant until the hackers call upon it many months later. So it is possible that your account may have already been hacked and you don’t know it.
As always, if you have any questions or need additional help, you can submit a support ticket at:
Steven – AMS Support
