A major challenge of working with WordPress, and of being in the web development business in general…is keeping up to date with the latest news on website security. Especially when you are working with large amounts of private or personal data / PII, such as in financial website design, site security is of the utmost importance. The threats are constantly changing, and with each move made by security teams the hackers make a counter move. It is especially dispiriting to hear of major websites with full-time security teams like Netflix and Twitter being compromised through rather ingenious methods. A small business owner may reasonably feel that if the “big guys” are being hacked, how can their site be secure?
We at Watermelon Web Works are always on the lookout for new trends in the web security world. One valuable resource is the Sucuri Blog. It has timely updates and latest news on emerging security threats, with emphasis on the open source platforms that power most of the world’s websites. After reading the latest hacked website trend report, it is clear that the basic fundamentals of website security are as important as ever.
Keep sites up to date
First and foremost, keep sites up to date. The Sucuri report noted that the vast majority of sites that were infected with malware (out of a sample size of 9771 sites) had an out of date CMS. Over 72% of the infected sites were running on WordPress, and of those 55% were out of date. One of the appeals of WordPress is that it is frequently updated, yet these updates need to be activated in order to be effective.
In addition to the CMS, plugins must be kept up to date. This can be rather challenging as some plugins are updated far less often than others. The other challenge is to ensure the compatibility of plugins and the current WordPress version. While these updates can be performed by the site owner, great care must be taken as there is no “undo” button. These updates are best left to WordPress experts who have ready access to system backups.
Research plugins prior to installation
One of the more shocking items in the report was the fact that a mere 3 plugins (out of the thousands of plugins available) accounted for an extraordinary 22% of all observed WordPress malware infections (they are TimThumb, RevSlider, and GravityForms for the record). This starkly illustrates how known plugin vulnerabilities can spread like wildfire. It is important as a website owner to perform due diligence and make sure all plugins have no reported vulnerabilities prior to installation. Just as crucial, only plugins that are actively maintained by the developer should be used. If a plugin has not been updated in 2 years, there is a good chance the developer has washed his/her hands of it, and any vulnerabilities may never be fixed. If you had that plugin on your site, your only secure choice would be to delete entirely, which could cause serious repercussions if that plugin was critical to your site’s functionality.
Use all available security tools, as hacks may not be obvious
The report showed a strong trend towards hacks that may not be noticeable to the casual observer. Instead of exploits that cause obvious visual/behavioral problems (such as the immediate download of a malicious file or replacing a home page with a “custom” home page), there is a sharp rise in so called “SEO hacks”, where the infected site looks and behaves normally to the site visitor, yet behind the scenes it is causing SEO problems. For example, looking up the infected site in Google may have an advertisement for a pharmaceutical company in the site description, or a link to a site that isn’t the real site. Viewing the page source of the site will show all kinds of hidden ads and content that is picked up by search engines, but not to the naked eye. By using these sorts of exploits (typically initiated from a plugin with weak security), hackers can make changes to a site for quite some time before even the site owner notices. Furthermore, these “behind the scenes” exploits are not as easily identified by security tools.
To combat this type of attack, it is important to use all tools available at your disposal. We recommend scanning regularly with a tool such as WordFence that can detect changes in code that may not be obvious when looking at the site. Tools such as Google Webmaster Tools can help detect noticeable SEO changes. We also like to use a plugin such as Plugin Vulnerabilities that will check plugins on a site vs an updated database of known plugin vulnerabilities.
Perform regular maintenance on the site
As noted before, owning a website is a continuous responsibility. Simply setting one up and walking away is an open invitation for hackers to exploit your site. What is secure today may not be so tomorrow when the latest plugin exploit is going viral.
The best way to ensure the integrity of a site is to continually update it and make it better. Watermelon Web Works offers a monthly maintenance plan that will examine a site for any potential vulnerabilities and make on the spot corrections. In this ever evolving and changing web landscape, the best protection is persistence and diligence.