First and foremost, if you’re using a popular Content Management System (CMS) like WordPress, you’ll want to install some sort of security software on your server, or an anti-malware plugin on your website. Two popular plugins for WordPress that have free versions available are WordFence and iThemes Security. I’ve tried both, and generally I like WordFence a lot.
After installing your security plugin, check with your website hosting company to see if they offer a firewall or other protection to keep out intruders. Use secure passwords and make sure that your CMS is updated to the latest stable version, as well as all of your plugins. This is all standard advice, but there’s even more you can do.
According to WordFence, the attacks we saw recently were known as supply chain attacks. Some of these are made by hackers, and some may even be built into plugins as part of the original package. What better way to get distribution for your malicious software than by sneaking it into your free tools and programs? We’ve seen this with mobile apps, as well as website plugins. Luckily, the WordPress plugin repository removes and bans plugins that are using stealth methods to insert their cryptomining software into websites, such as the Animated Weather Widget by weatherfor.us. But what about code that gets infiltrated by bots looking for security holes?
In your HTML, you’d normally use code that looks like this to add the popular JS library, jQuery:
To implement SRI, you’d instead use code like this:
This might be alien to some of you, so just make sure you get your developer to utilize this methodology when updating your website. All you need to do is visit this page to create the hash: https://report-uri.com/home/sri_hash