Early last month, a security hole in a WordPress plugin (REST) led to the vandalism of a large number of sites hosted on the blogging platform. While a world apart from the type of cybercrime that results in millions – or billions in the case of Yahoo! – of customer records landing on Dark Web marketplaces, it was nevertheless an attack that caused damage to around 1.5m pages, 39,000 domains, and attracted the attention of 20 different hacker collectives.
But what does February’s attack mean for WordPress security as a whole? Are websites that rely on the CMS now less secure as a consequence of the intrusion or is it business as usual for bloggers? In this case, there’s nothing to get excited about – the vulnerability was patched by WordPress after remaining secret for a week – but it serves as a reminder that a website’s small size doesn’t really matter as far as gaining the attention of hackers is concerned.
Cyber security is a multi-faceted beast that revolves around responding to a constantly changing threat landscape. Websites can be hacked on consecutive weeks for different reasons and with different methods, some of which may not have been possible the week before. For that reason, the onus is on hosting companies and security providers to continually search for (and close) new vulnerabilities before criminals can discover and exploit them for malicious purposes.
The biggest threat to WordPress sites are “script kiddies”, low-level hackers with little skill outside self-promotion, as evidenced by the fact that the consequence of February’s vulnerability was somebody using HTTP requests to write “HaCkeR was here”, a trick called website “tagging”, on affected websites. However, regardless of the cause, downtime can result in the loss of a website’s data and ad revenue, both of which can be difficult to replace in more complex scenarios.
Web Application Firewalls
That’s where the users come in. Ignoring the staple advice around strong login credentials (with “password” and “123456” the world’s joint worst passwords since 2013, and “12345” gaining 17 places last year to stand in third, the public’s appreciation of internet security seems to be falling), web application firewalls (WAFs) and similar security solutions can provide a barrier against threats like SQL injections and cross-site scripting.
Based in the cloud, web application firewalls (WAFs) screen traffic to block malicious users before they can reach a website and can help businesses comply with the OWASP (Open Web Application Security Project) standards for eradicating security flaws, a scheme that many businesses (70% in retail and 76% in government) fail to adhere to. The scalable nature of many WAFs means that they’re an increasingly affordable option for every kind of WordPress user.
As mentioned, cyber security is more of a process than a one-time fix, with perhaps the most compelling example of that fluidity coming just a few days ago. While the WordPress 4.7.2 release fixed the security flaw in the REST plugin, version 4.7.3, an update that arrived on March 7 and the third pushed to users in 2017, closed six further vulnerabilities in the platform, including one involving embedded YouTube videos.
One of the worst things WordPress users can do security-wise is disable automatic updates from the company – website owners still running 4.7.1 are vulnerable to at least seven different exploits, all of which are known to hackers – so ensure the option is enabled in the dashboard. Finally, let go of the idea that a small site will slip beneath the radar of criminals. Most hackers use software or “bots” to find vulnerable pages rather than manual searches.
Just about any website can be used to orchestrate spam attacks or host malicious ads so an awareness of a site’s vulnerability and the options for protecting it is never a bad thing.