Celebrity chef Jamie Oliver’s website was recently discovered to be harbouring malicious software for a second time this year. Two security companies have independently found evidence that hackers put malicious code on the site which meant that anyone visiting using a vulnerable browser risks losing login names, passwords and other data.
A spokesman for Jamie Oliver confirmed the site had been hit and said it had now cleaned it up. The site first fell victim to hackers in mid-February and that breach was quickly cleaned up after administrators were told about the problem. Anyone visiting the site using the Internet Explorer browser that did not have up-to-date plug-ins for Java and Flash would be infected.
The malicious code lurking on the site helps to install a virus on compromised machines called Dorkbot.ED which watches what people do online and grabs copies of any login or password information. It also blocks security updates and can use victims’ machines as proxies for other web attacks.
The Jamie Oliver website is visited by about 10 million people per month which makes it a very attractive target for cyber-thieves. The website uses the open source Content Management System Concrete5 which is widely used and has a generally good record for security, however I doubt we’ll ever hear the outcome of what is likely to be a feverish internal inquest into how this happened.
Although we almost exclusively design and build websites using WordPress, security and maintenance of the websites is critical after launch. The process often isn’t anything very technical but needs to be done:
- using hard-to-guess username and password combinations for administrators and editors.
- keeping up to date with the latest version of the WordPress – generally the automatic updates work well, but make sure your website files and database are backed up before applying an update.
- keeping up to date with the latest version of plugins – for example the popular SEO plugin Yoast recently released a very important update that fixed a number of security issues as well as improved features and speed.
- keeping up to date with the latest theme updates – if you are making customisations then use a child theme and these will be preserved if you update the main theme.
- keeping other passwords for FTP access and database secure and hard-to-guess.
- hosting your website with a competent provider that keeps their severs patched and up-to-date with the latest software.
No one takes any great pleasure in highlighting the problems experienced by a high-profile website. Keeping your website up to date with all the above will not guarantee website security but it should prevent most attacks. This good housekeeping will also help improve the website ranking as updates usually provide greater speed (a search engine ranking factor) and websites with security issues will be downgraded by search engines.