We have been spurred into writing this post with more news affecting websites based on Wordpress. For those of you that don't know what Wordpress is; it's what many people us to create their websites. Wordpress is free software which has likely has contributed to it's popularity. Indeed It's arguably the most popular of the website Content Management Systems used for building and powering websites. Wordpress also has been around a long time, since 2003, and is used by an estimated 60 million websites (1).
The recent news on Wordpress is, that it has been subject to more issues with Malware (2). In this case the malware spreads through pirated versions of both WordPress themes and in Wordpress plugins that the attackers distribute through a network of rogue sites. Website administrators looking for free WordPress functionality then download them and use them in their own WordPress sites. At this point they have essentially infected their own webservers. Sucvuri - GoDaddy's web-security subsidiary - said that some 90% of all the sites they cleaned were built on Wordpress.
This issue has had a fair bit of publicity. For instance, we have now been asked by clients, if sites we have created for them have also been infected. We don't use Wordpress - so this issue does not affect us, or our clients. However, we did used Wordpress long ago (we retired our last Wordpress site in 2013). This brings us to a wider point - just how safe and secure is your website?
We are going to keep this in as accessible English and as non-technical as we can. If you are a professional web developer or cyber security technician you will will see our focus in this post is only on the main threats and what the average customer can do about them. We thus simplify explanations where we can, to make the post more accessible.
No 1. Data Breach
This is the biggie. It's where some geek, uses your website to hack into your corporate systems to steal your data. Many of our websites are linked to one or more database applications managing information for clients, so this is something we take great care to protect. One of the most basic methods of protection is to use end to end encryption. Fortunately this is now much more common than it was. Your website should always use SSL for all webpages and data transfers should all be encrypted "in transit" i.e between your screen and the server. You can tell if a webpage is SSL encrypted if its has a padlock in the URL bar or starts with 'https' - its the 's' at the end that indicates its SSL secured. If you can encrypt "at rest" that is even better (i.e on the server itself). But transit is the important one.
We recommend ensuring that database applications are also not on the same physical server as the webserver. It's often surprising how often in-house systems miss this point. We also see 'low-cost' software development houses doing this to save money. If you can keep database administrative functions on a totally different server that lessens the risk. Also make sure to encrypt as in - No 1 Data Breach - above.
No 2. DDoS
DDoS refers to "Distributed Denial of Service", DDoS attacks try to crash a web server by flooding it with traffic. It can happen to any website. In our view the most practical protection is offered by a Content Delivery Network (CDN). We often recommend Cloudflare or the Amazon competitor Cloudfront for CDN use. By using a CDN, traffic can be broken up to travel through a distributed network of servers and in simple terms this absorbs the DDoS hit. Good CDN's, intelligently route traffic and can protect your website from downtime without blocking legitimate users. In practical terms, setting up and managing a CDN does involve some expertise and cost. So, we normally only recommend them if a site has already experienced a DDoS or has a profile that indicates it is at higher risk.
No 3. Passwords
The human risk... It's sad to say, but the number 1 risk often comes from those using your website - or those administrating it. The best advice here is two fold.
(a) use a strong password and change it often. We find it best to use a phrase of two or three words with a number and symbol. It makes it much easier to remember and change and is also very hard to crack. Also, don't allow your computer to remember the password when logging in. Most web browsers offer to do this for you. But, it means the login details are then held locally on your machine and thus anyone with access to it can then login.
(b) take care who you allow to access what. We suggest you take care which of your staff can access administrative functions, and you work on the principal of not granting access to facilities unless they really are needed. Discuss this with your technical provider and come up with a plan that works for you and minimises risk.
Other items that are more technical include. Antivirus monitoring and cleaning tools for websites (these are not the same as the ones you would use on your PC). They require more technical knowledge and will cost to install. We also recommend a Web Application firewall. It's a bit like having a solid flame-resistant wall between you and a possible fire. In this case, it provides a level of protection against viruses and bots. But, its not a trivial thing to add and get the best out of and is generally best left to your technical provider to install if not already provided.
We hope this has helped you appreciate and readily understand the major risks and what you can do about them. Please remember however, nothing is 100% safe. This is where a good technical provider can really pay off as they will be there to sort issues.
(1) Wikipedia Ref.
(2) Wordfence - Oct 2019