Over the holidays (naturally) some [expletives deleted] inserted some malware into this site.  It redirected viewers to an attack site, no doubt to nefarious ends.   The vulnerability appears to have been in a WordPress 4.0 script.  We’ve updated to WP 4.1 and taken other necessary steps.

Lessons learned:

  • Web sites aren’t “set and forget”.
  • Being a low-value target is not a defense.
  • Security updates don’t happen automagically
  • Don’t trust the tools to set up protections appropriately.
  • Google and stopbadware.org are your friends… in the “tough love” sense of friends.
  • My first incident response involved a lot of trial-and-error.  I can’t imagine how a site owner with no CS background could begin to deal with these kinds of problems.

Anyway, all clear.  Maybe someday law enforcement will catch up with these [expletives deleted].

Leave a Reply

Your email address will not be published. Required fields are marked *