The Federal Bureau of Investigation (FBI) has posted an official warning to users of Automattic Inc.’s WordPress content management system (CMS) to make sure their installs are up-to-date following repeated cases of the Islamic State (also known as ISIL and ISIS) hacking un-updated WordPress blogs.

The warning states that defacements have affected sites and communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites.

The FBI adds that while the defacements demonstrate low-level hacking sophistication, they are disruptive and may be costly in terms of lost business revenue, as well as the cost to repair systems that have been hacked.

Tech specs

Although not specifically detailing which parts of WordPress installs are vunerable, the Bureau does say that plugins could allow “malicious actors” to take control of an affected system.

Successful exploitation of the vulnerabilities is said to potentially result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers.

Although primarily currently resulting in website defacements with pro-Islamic State (and related entities) messages, it is further warned that an attacker could install malicious software; manipulate data, or create new accounts with full user privileges for future Web site exploitation.

On the (somewhat) positive side, the FBI says that it doesn’t believe that WordPress blogs are being targeted by the Islamic State directly, versus those who are sympathetic to the rampage, murder, and medieval level of barbarity currently occurring in Syria and Iraq.

“These individuals are hackers using relatively unsophisticated methods to exploit technical vulnerabilities and are utilizing the ISIL name to gain more notoriety than the underlying attack would have otherwise garnered” the warning notes.

Naturally if you are running a self-hosted install of WordPress, the advice is, as always, to practice safe internet.

Make sure your WordPress install is up-to-date, and then check to see if your plugins are as well. If you’ve purchased plugins privately that aren’t available through the WordPress.org website, check back with the sites you have purchased them from to see if there are any new updates, as some often won’t warn you through the WordPress console that an update is available, let alone recommended for security reasons.