SHARE

The digital currency market is growing, and with growth, we can only expect growing pains. Among these are the latest reports of hackers and digital currency theft. There was the BitGrail hack, which resulted in $170 million in NANO disappearing, and there was the Browsealoud plugin hack where an intruder injected Monero mining JavaScript into the code of over 4,000 websites, including government websites in both the US and the UK. The result was that cryptomining malware took over the CPU power of users’ computers as they visited these websites. Luckily, the hack was discovered before it turned into an even bigger mess. Many people who are technically savvy enough to get into various cryptocurrency investments today are also technically savvy enough to publish their own websites. If you’re among those of us who manage digital brands, you’ll want to know how to protect your websites from becoming infected in the same way. Luckily, there are some steps you can take.

First and foremost, if you’re using a popular Content Management System (CMS) like WordPress, you’ll want to install some sort of security software on your server, or an anti-malware plugin on your website. Two popular plugins for WordPress that have free versions available are WordFence and iThemes Security. I’ve tried both, and generally I like WordFence a lot.

After installing your security plugin, check with your website hosting company to see if they offer a firewall or other protection to keep out intruders. Use secure passwords and make sure that your CMS is updated to the latest stable version, as well as all of your plugins. This is all standard advice, but there’s even more you can do.

According to WordFence, the attacks we saw recently were known as supply chain attacks. Some of these are made by hackers, and some may even be built into plugins as part of the original package. What better way to get distribution for your malicious software than by sneaking it into your free tools and programs? We’ve seen this with mobile apps, as well as website plugins. Luckily, the WordPress plugin repository removes and bans plugins that are using stealth methods to insert their cryptomining software into websites, such as the Animated Weather Widget by weatherfor.us. But what about code that gets infiltrated by bots looking for security holes?

According to WordFence, you can further protect your website from JavaScript Supply Chain Attacks by using a security feature called SubResource Integrity, or SRI. Put simply by adding another attribute to your <SCRIPT> tags, you can compare the code that loads against the original version, using a hash.

In your HTML, you’d normally use code that looks like this to add the popular JS library, jQuery:

To implement SRI, you’d instead use code like this:

This might be alien to some of you, so just make sure you get your developer to utilize this methodology when updating your website. All you need to do is visit this page to create the hash: https://report-uri.com/home/sri_hash

Once installed, this bit of code will compare what’s on your website with the repository. If there’s a difference, then the JavaScript won’t load. Simple! Naturally, there will be some plugin developers who do not follow best-practices, and they’ll upload new versions of their software to the same old location, rather than using proper versioning. When this happens, you’ll need to generate a new hash. It’s a minor inconvenience that will protect you, and your website visitors.