The news outlet Fast Company has been in the news for the past couple of days over obscene push notifications sent out through Apple News and an apparently relating hacking of their WordPress powered website. The hacker posted on Fast Company’s website a claimed explanation of how they were able to hack Fast Company’s WordPress installation and take further actions from there. While we can’t independently verify the claims, they read like something written by someone who is knowledgeable and would match up with what they were able to accomplish. Two things stood out for us in that. The hacker gained access to WordPress through an easily avoided security failure and that once the hack occurred it doesn’t appear that someone with expertise was brought in to address the hack.

Avoid Using a Weak Password

News reports we have looked at have obscured a key point, how the hacker claims to have got in through a weak password. Here is how Engadget explained it:

They said that Fast Company had a default password for WordPress that was much too easy to crack and used it for a bunch of accounts, including one for an administrator.

Here is how the hacker explained it:

Thankfully, Fast Company had the ridiculously easy default password of “pizza123” on a dozen accounts, including an administrator account (sorry Amy!), so we got in there really easily.

So according to them, the Administrator account, which has access to everything in WordPress, had its password set to “pizza123”.

While it is often claimed by WordPress security companies that there are many brute force attacks against WordPress admin passwords, in reality there are dictionary attacks, which involve trying to log in with common passwords like “pizza123”. There is a really easy way to avoid getting hacked through that type of attack and it doesn’t involve any security solution (which might explain the misleading claims from security companies about brute force attacks happening). That solution is to use a strong password. WordPress has a built in password strength meter. Here is the result of that if you enter pizza123 as the password:

Not only does WordPress warn that the password is “Very weak”, you have to check a box to “Confirm use of weak password”.

Bring in an Expert to Deal With The Hack of a WordPress website

The hacker claims that once they got access to the Administrator account, they could then get a hold of the access credentials for the Apple News API (which permitted the obscene push notifications), as well as other access credentials:

We were able to exfiltrate a BUNCH of sensitive stuff through there – Auth0 tokens, Apple News API keys, Amazon SES secrets (we could literally send email as any @fastcompany.com email with this access), etc.

If you bring in someone knowledgeable about cleaning up hacking websites, one of the things they are going to tell is that you need to change all the access credentials that could have been compromised. Again, according to the hacker, that didn’t happen:

Wow, Fast Company. Despite the public defacement of your site, which boasts millions of visitors, all you did was hastily change your database credentials, disable outside connections to the database server, and fix the articles.

It doesn’t cost much to hire someone to someone to professionally clean up a hacked WordPress website, but often companies decide to try to handle on their own with poor results.