When a big website like Lenovo’s gets hacked, it’s news. But most such attacks take place under the radar, at smaller sites lacking the skills or time to protect themselves. Take the legions of WordPress-based sites, which got a rude awakening last year when many thousands of them were hacked.
Don’t be one of those sites. Even if you don’t use WordPress, you can learn important lessons from what those poor blighters have been through.
The un-magic bullet: site maintenance
Quickly spinning up a WordPress site on a hosted server is simpler than ever, but users need to understand that the sites require regular management. Cybercriminals and hackers are continuously looking for sites whose administrators use easy-to-guess passwords, inadvertently misconfigure the site, or fail to apply the latest patch.
Earlier this year, for example, security firm Zscaler found that compromised WordPress Web sites were forwarding visitors’ login credentials to an attacker-controlled site. Last year, in one of the worst cases of serial compromise, a malicious program, known as SoakSoak, infected more than 100,000 WordPress sites using a vulnerability in a popular plugin. “The beautiful thing about these applications is that they are easy to use and make it easy to get a website up online,” Tony Perez, CEO of Sucuri, says. “But it’s a double-edged sword—we cannot depend on the users to be able to manage the sites securely.”
W3Techs Wordpress accounts for about a quarter of all Web sites and 60 percent of all CMS-powered Web sites.
Security experts don’t blame the content management systems, which typically take security seriously. But WordPress sites account for 24 percent of all Web sites, and Joomla and Drupal account for another 5 percent, according to Web technology firm W3Techs. The software is under intense attacker scrutiny. Attackers have historically tried brute-force password guessing as a first assault on content management systems, followed by quickly attempting to take advantage of any just-published vulnerabilities.
Passwords are an easy problem for users to solve, but keeping up with a steady stream of vulnerabilities and patches requires diligence, says Mark Maunder, CEO of WordPress security firm Wordfence. These three best practices will help you fend off attackers.
1. Update as soon as possible
Anyone managing their own site should either use a hosting service that manages the core content management system (CMS) updates or create a process to keep up with information on vulnerabilities that could impact their installation.
Be warned, it’s a tough job. Subscribing to any vulnerability feeds for their software and plugins is a necessity to quickly patch vulnerabilities in either the CMS or its plugins. Yet, it’s easy to be inundated, says Sucuri’s Perez.
“It is almost impossible for developers to keep up with vulnerabilities,” he says. “They are trying to run their site, and trying to keep track of all the patches and applying them is difficult.”
Web-security services like Sucuri, Cloudflare and Incapsula can buy administrators more time to patch their sites, by blocking known attacks.
2. Don’t forget your plugins and themes
While keeping the main content management system up-to-date is challenging, patching every plugin can be a more onerous burden, as attackers have increasingly targeted vulnerabilities in plugins and themes to compromise Web sites.
“In general, attackers are trying to own as many WordPress sites as possible using as many zero days or recently-disclosed vulnerabilities, and then using that site for other attacks,” says Wordfence’s Maunder.
A variety of WordPress plugins provide security. Wordfence, BulletProof Security and iThemes Security perform a variety of security-related tasks, from scanning Web sites for compromises to setting the security controls of a WordPress site to harden the software against the most common attacks.
3. Regularly maintain your Web site
Having a hosted Web site is a responsibility and requires frequent maintenance. Administrators should back up the site, and make sure the backup is copied off the Web server—many inexperienced administrators overlook that step, says Maunder.
If you don’t have time to do this, go with a fully managed site. WordPress.com has a wide variety of templates and more flexibility than ever before. For other content management systems, such as Joomla and Drupal, a hosted service provider can manage the CMS on that server and help keep your Web site patched.