Vulnerable Website Plugins
Plugins are bits of code designed to give extra functions to websites. Like all software, these can have vulnerabilities which criminals can exploit.
Plugins are a great way to add extra functionality to websites easily as developers/designers don't have to spend time writing absolutely everything themselves. The rise of website builders such as Wordpress/Shopify/Wix has meant that thousands of businesses are often using similar plugins, and so criminals can affect a large number of businesses and their customer bases if a vulnerability is exploited.
If a website is hacked through vulnerable plugins, criminals can gain access to customer names/email addresses/passwords/other sensitive information.
Alternatively they could use your website to attack others, making it look as though the attacks are from a legitimate source.
If you are responsible for maintaining your website, then here are a few things to keep in mind when managing plugins:
- Keep your plugins up to date (some plugins may not be supported and no longer have security updates, consider replacing these)
- Choose reputable plugins from reputable sources
- Delete any plugins you're no longer using
- Use only plugins that you need (consider whether your website really needs certain functionalities - by reducing the number of plugins, you reduce the number of potential vulnerabilities you have)
If you are not responsible for running your website, make sure to use a reputable hosting provider
Make sure that whoever is hosting/running your website takes security seriously. Unfortunately, there are constant vulnerabilities being discovered, which means that you need to be confident that your website is receiving security updates. As with any other procurement, do research around a company's track record, and look to see what accreditations they have (e.g. Cyber Essentials/+ can be an indicator that they are aware of security responsibilities).
Use strong and separate passwords
Secure your website login account with a strong password, and do not reuse that password across different accounts. A strong password combines random words into a long phrase - you can also misspell words/substitute letters for symbols and numbers to strengthen a password.
Turn on two-factor authentication (2FA)
2FA is an extra layer of protection which double checks that you are who you say you are when logging in to accounts/applications. A 2FA service will send an extra code to the device that you register it to, meaning that unless cyber criminals have access to that device in some way, they won't be able to log in to your account. If possible, use an authenticator app rather than a text based 2FA service, as this is generally more secure and defends against Sim Swapping attacks.
If you've been affected by this or any other type of cyber crime, report the details to Action Fraud (0300 123 2040 / www.actionfraud.police.uk). Always keep an eye out for any suspicious follow up activity as well.