We have been spurred into writing this post with more news affecting websites based on Wordpress. For those of you that don't know what Wordpress is; it's a very popular website creating tool. Indeed ist probably the most popular. Wordpress is free software which no doubt has contributed to its popularity. Indeed, It's arguably the most popular of the website Content Management Systems used for building and powering websites. Wordpress has also been around for a long time, since 2003, and is used by an estimated 60 million websites (1).
The recent news on Wordpress is, that it has been subject to more issues with Malware (2). In this case the malware spreads through pirated versions of both WordPress themes and in Wordpress plugins that the attackers distribute through a network of rogue sites. Website administrators looking for free WordPress functionality, then download them and use them in their own WordPress websites. At this point they have essentially infected their own webservers. As an indicator of the extend of the issue. Sucvuri - GoDaddy's web-security subsidiary - said that some 90% of all the sites they cleaned were built on Wordpress.
This issue has had a fair bit of publicity and we have now been asked by clients; if sites we have created for them have also been infected. We don't use Wordpress - so this issue does not affect us, or our clients. However, we did used Wordpress long ago (we retired our last Wordpress site in 2013). This brings us to a wider point. Just how safe and secure is your website?
We are going to keep this explanation as accessible and as non-technical as we can. So, if you are a professional web developer or cyber security technician you will will see our focus in this post, is only on the main threats and what the average customer can do about them. Ans we have simplified explanations where we can, to make it easier to understand and be more inclusive.
So the - main - threats are:
No 1. Data Breach
This is the biggie. It's where some geek, uses your website to hack into your corporate systems to steal your data. Many of our websites are linked to one or more database applications managing information for clients. So, this is something we take great care to protect. One of the most basic methods of protection is to use end-to-end encryption. Fortunately, this is now much more common than it used to be. Your website should always use SSL for all webpages and data transfers should all be encrypted "in transit", i.e between your screen and the server. You can tell if a webpage is SSL encrypted, if it has a padlock in the URL bar or starts with 'https'. It's the 's' at the end, that indicates it's SSL secured. If you can encrypt "at rest" that is even better (i.e. on the server itself). But transit is the important one.
We recommend ensuring that database applications are also not on the same physical server as the webserver. It's often surprising how often in-house systems miss this point. We also see 'low-cost' software development houses doing this to save money. If you can keep database administrative functions on a totally different server, that lessens the risk. Also make sure it is also encrypted as in - No 1 Data Breach - above.
No 2. DDoS
DDoS refers to "Distributed Denial of Service", DDoS attacks try to crash a web server by flooding it with traffic. It can happen to any website. In our view the most practical protection is offered by a Content Delivery Network (CDN). We often recommend Cloudflare or the Amazon competitor Cloudfront for CDN use. By using a CDN, traffic can be broken up to travel through a distributed network of servers and in simple terms this absorbs the DDoS hit. Good CDN's, intelligently route traffic and can protect your website from downtime without blocking legitimate users. In practical terms, setting up and managing a CDN does involve some expertise and cost. So, we normally only recommend them if a site has already experienced a DDoS or has a profile that indicates, it is at higher risk.
No 3. Passwords
The human risk... It's sad to say, but the number 1 risk often comes from people using your website - or those administrating it. The best advice here is two fold.
(a) use a strong password and change it often. We find it best to use a phrase of two or three words with a number and symbol. It makes it much easier to remember and change. And, is also very hard to crack. Also, don't allow your computer to remember the password when logging in. Most web browsers offer to do this for you. But, it means the login details are then held locally on your machine and thus anyone with access to that can then login.
(b) take care who you allow to access what. We suggest you take care which of your staff can access administrative functions, and that you work on the principal of not granting access to facilities unless they really are needed. Discuss this with your technical provider and come up with a plan that works for you and minimises risk.
Other items that are more technical include. Antivirus monitoring and cleaning tools for websites (these are not the same as the ones you would use on your PC). They require more technical knowledge and there will be cost to install the good ones. We also recommend a Web Application firewall. It's analgous to having a solid flame-resistant wall between you and a possible fire. In this case, it provides a level of protection against viruses and 'bots'. But, its not a trivial thing to add and get the best out of and is generally best left to your technical provider to install if not already provided.
We hope this has helped you appreciate and readily understand the major risks and what you can do about them. Please remember however, nothing is 100% safe. This is where a good technical provider can really pay off as they will be there to sort out issues.
(1) Wikipedia Ref.
(2) Wordfence - Oct 2019