Contact information for Freedom of Information Requests, Post Commanders, and the Webmaster.
Information on Laws & Statutes relating to the Michigan State Police.
AMBER Alert, Michigan Blue Alert, Public Threat Alert, Vulnerable Adult Medical Alert
Information on carrying concealed pistols, permits, renewal, frequently asked questions, pistol free areas, pistol safety training course information, and more.
Freedom of Information Act Requests
Information on Domestic Violence, Fire Safety, Internet Safety, Safety for the Elderly, Safety Tips, Safe Driving, School Safety and Weather Safety.
Vulnerable or Impaired Person Enrollment
Information relating to fire investigations including field office locations, arson tip line ,fire investigation services and fire fighter training information.
Search is currently unavailable. Please try again later.
The web Browser you are currently using is unsupported, and some features of this site may not work as intended. Please update to a modern browser such as Chrome, Firefox or Edge to experience all features Michigan.gov has to offer.
According to wordpress.org, "Approximately 40% of all websites globally use WordPress".
WordPress has many benefits, including being free and open source, user-friendly, mobile-friendly, ease of installation, and an extensive plugin library. However, sites that use the flexibility of the WordPress ecosystem can have downsides and contribute to potential vulnerabilities. Specifically, WordPress sites that are outdated can become easy targets or frequent targets of bad actors attempting to compromise or otherwise hijack the sites.
The MC3 and other law enforcement agencies have seen a recent uptick in malicious activity on public facing websites, specifically sites that are built upon a WordPress architecture.
Outdated WordPress core, plugins, and themes can be an easy target for bad actors. SQL (structured query language) injection attacks, cross-site scripting (XSS), brute force attacks, unauthorized access via default settings, and file inclusion vulnerabilities are all examples of some of these attacks or vulnerabilities.
One of the most common malicious campaigns is referred to as “Fake Updates”. When a user visits the compromised WordPress site, they are redirected to install a fake web browser update. Once the user downloads and executes the malware on their computer, additional malicious software may be installed. Next, the bad actor further compromises the users accounts or devices, move laterally, launch malware and further cause chaos on a network, accounts or machines.
Given the ongoing use of AI (artificial intelligence), automated attacks, and various vulnerabilities in software and systems, it is essential to implement measures to safeguard WordPress and other publicly accessible sites. AI is being used to scan for websites that have vulnerabilities such as outdated plugins, weak passwords and unpatched themes. AI can also be used to enhance brute force attacks, further exploit zero-day vulnerabilities, help author phishing attacks, distribute malware, target certain or specific types of content, credential stuffing (using compromised credentials from previous data breaches) and social engineering campaigns.
WordPress sites must be checked for updates and updated on a frequent basis. Everything from the core, themes and plugins all need to be updated regularly. Pushing or checking for these updates can also be automated for ease of use. Further, ensuring that the usernames and administrator path settings are all updated from default configuration. Additional WordPress security solutions may exist and be proven to be beneficial.
Implementing strong passwords (MC3 recommends a 16-character password), two-factor authentication (2FA) and limiting login attempts that control or have access to the controls of WordPress sites further help secure the sites. Using WordPress security plugins (Cloudflare, Wordfence, Sucuri, MalCare, SolidWP, etc.) should be researched and used when practical or possible. Web application firewalls like those used to block malicious traffic, should be enabled and used for WordPress sites whenever possible.
Having regular backups and restore points for the WordPress sites is another extremely important aspect. If the website becomes compromised, the backups can be used to restore or rebuild the sites to an un-infected, pre-exposed state.
The WordPress site configurations should be hardened which would include changing database prefixes, using secure database credentials and disabling database error reporting. Additional steps to consider would be restricting file permissions of the site, disabling file editing from the WordPress dashboard and limiting access to the sensitive files would be additional steps to consider. (Only giving access to the sensitive files to users who need that access).
Hypertext Transfer Protocol Secure (HTTPS) should be used wherever possible to ensure secure data transit for the WordPress sites. Hosting providers with enhanced security features should be used for the WordPress sites.
The MC3 recommends organizations conduct professional security audits and penetration testing of their websites on a regular basis.
October 28, 2024
CS-06-24
