Trump campaign website hacked

According to Wordfence, the campaign website for the re-election of Donald Trump was hacked. (The site has since been restored, with some notable missing pages.)

Wordfence provides a security service for WordPress websites. The Trump campaign website uses an alternate content management system, Expression Engine. The Wordfence folks thought it would be interesting to analyze the hack and defacement to see what could be learned without access to forensic information.

The Wordfence analysts concluded that the most likely way the hackers gained access to the campaign website was through compromised credentials — they guessed the password for an administrative account:

Expression Engine, like most content management systems, provides an administrative panel for publishing content. By default this is located at /admin.php. On, however, the admin login has been relocated to a different location, an example of security through obscurity.

The Internet Archive indicates that the last time the admin page was accessible in the default location was in June of 2015. Even in this hidden location, if an attacker was able to access the administrative panel they would have been able to alter any content on the site, though they would not have had access to any sensitive information.

The “Privacy Policy” and “Terms & Conditions” pages are displaying a “404 page not found” error hours after the site has been restored. This indicates that something changed on the content management system itself, rather than on the Cloudflare configuration. So we believe that the CMS being compromised is therefore a higher probability than Cloudflare being compromised, which we describe below.

(Cloudflare is a load balancing service.)

The moral: use strong passwords and implement two-factor authentication.