Question: I’ve heard rumors that WordPress can be pretty sketchy when it comes to security. So, I’m wondering, is creating my website with WordPress, in fact, a huge mistake? ~ Paul H., Freelance Writer, Long Beach, CA
Answer: Well, perhaps that’s a bit of an extreme statement…but you bring up a very interesting point. As owner of a web design agency, ohso! design, I do not shy away from WordPress; we’ve used it for dozens of clients. WordPress, by its very nature, was developed as an easy to use blogging platform, and now it is used as an easy content management system—even by sites that don’t have anything to do with blogging.
As my friend and colleague Pat Bramhall of Tydak, an IT consultancy, points out, "It’s important to realize that this increasingly popular platform not only makes blogging easy…
…it also makes hacking easy, too."
These days, more and more businesses are being infiltrated through their WordPress sites. Hackers secretly embed malicious script into the sites, turning them into drones that are programmed to perform nefarious functions on other sites that also use WordPress.
Often, this happens without an obvious change to the infected site’s operations. You could be aiding and abetting internet criminals and you’d never even have a clue. Or worse, you could be the victim of information highway robbers as they steal your money and valuable data right out from under your mouse.
When a tool like WordPress becomes so prolific, it seems we let our guard down. Psychology has taught us that when something is common, and we like using it, we’ll downplay its risks. (Drive a car lately, anyone? It’s a killing machine!)
The real problem, according to Stan Stahl, Ph.D., the President of Citadel Information Group, a Los Angeles cyber security firm, is simple. “WordPress,” he warns, “was designed to make for easy blogging with lots of plugin capability, not for security. It should NEVER be used for eCommerce or when connected to sensitive information or back-end corporate databases.”
It’s not just the larger corporations that are in danger of these hackers, either. The smaller mom-and-pop websites are also at risk. Even if you’re just putting up a brochureware site, the sad truth is: you’re never “too small” to be targeted.
“Small businesses don’t get how vulnerable they are and how devastating the crime can be,” says Neal O’Farrell, Executive Director of The Identity Theft Council. “If a hacker gets into a small business owner’s bank account, they can wipe it out, leaving that business with little recourse, because, unlike how consumers are protected from fraud, banks don’t extend that same protection to business accounts.”
So, what can your company do to stop these kinds of cyber attacks? Well, the first step is easy: create a more secure administration password for your site. Now, I know that your password is probably better than Darth Helmet’s from Spaceballs: 1 … 2 … 3 … 4 … 5 … 6 … and … 7! (Hey, that’s the combination to my luggage!)
Using a common password is like leaving the back door unlocked to your cabin while you go out for a hike in the woods. It’s the Goldilocks problem all over again.
That’s precisely why you have to make sure that your IT team is smarter than the average bear. You should only work with developers, consultants, contractors, and (in the case of a larger company) security personnel who are constantly learning and staying squarely on top of things.
Stahl explains, “To minimize insecurities, [your team needs to] pay attention to:
- keeping [WordPress] and all plugins patched;
- using long, strong, and complex access passwords;
- utilizing a login lock-out policy to prevent brute forcing of passwords; and
- making sure the underlying HW/OS is configured and maintained in accordance with strong security guidelines.”
Another piece of advice, says Frederic Lardonois of Tech Crunch, “If you’re running a WordPress site, now would be a good time to ensure you are using very strong passwords and to make sure your username is not ‘admin.’”
- … the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username "admin" and 1,000 or so common passwords.
CloudFlare is not actually a host, but rather, “serves as an intermediary of-sorts for those looking to access sites that make use of the service, caching static pages to speed up load times and using its anycast DNS capabilities to filter out malicious traffic – like distributed denial of service attacks – to keep its members’ sites online and unbothered,” according to PC Mag.
The point is: companies like CloudFlare—and others—focus primarily on WordPress security…and you should be aware of them.
“Ideally all bloggers would take steps to protect their sites from hackers, such as installing a great security plugin,” says Andrea Whitmer, “but unfortunately even the best preventive measures sometimes fail. If you suspect that your blog or website has been compromised, there are a number of steps you can take to check your WordPress site for malware or evidence of being hacked.” Check those steps out here.
(Likewise, there are tons of useful plug-ins. Check out the “10 Essential WordPress Security Plugins for 2013.”)
Stahl advises, “Bottom line: caveat utilitor, ‘let the user beware.’ Security is management’s responsibility. Management must set the standards and validate IT’s compliance with them.”
Thus, it’s not about the skills that you have. It’s about the attitude and skills of the people you hire. As Pat Bramhall advises her big corporate clients, "Make sure that research, learning, dedication, sharing, and communication are the cornerstones of your IT team’s foundation of operation."
Of course, if you’re a D.I.Y. sort of person, then security needs to be on your radar. Stay on top of the news and become your own security guard–which includes reaching out to smart developers in your network of colleagues.
The best way for your company to win a high stakes game of “WordPress with Enemies” is through a healthy dose of online vigilance, and little bit of help from your friends.
Now, get over to your wordpress and get rid of the "admin" user already!