Using WordPress? Security services can significantly ease worries about being hacked

SMBs can counter fast-moving attackers by outsourcing specialized support, protection needs

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Tens of thou­sands of orga­ni­za­tions, many of them small- and medi­um-size busi­ness­es, had their Word­Press web­sites defaced in two waves of attacks ear­li­er this year.

It was a pro­found wake-up call, again rein­forc­ing why com­pa­nies that rely on inex­pen­sive, wide­ly dis­trib­uted tools and ser­vices, such as Word­Press, need to stay on top of secu­ri­ty best prac­tices.

Busi­ness­es are more net­worked than ever and that means they are more vul­ner­a­ble than ever. In many cas­es, SMBs do not have the resources to oper­ate a secu­ri­ty sys­tem in-house, so work­ing with a man­aged secu­ri­ty ser­vices part­ner can make things a lot eas­i­er.

Relat­ed: Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats

In the Word­Press hack in Jan­u­ary, web secu­ri­ty firm Sucuri dis­cov­ered a severe vul­ner­a­bil­i­ty in the REST Appli­ca­tion Pro­gram­ming Inter­face (API) and report­ed the flaw to Word­Press.

The issue was patched with the release of Word­Press 4.7.2 on Jan. 26, but the prob­lem was not pub­licly announced for a week in order to give web­site own­ers time to update their soft­ware. But all too many failed to car­ry out the update.

A fren­zy began among hack­ers look­ing for brag­ging rights about how many web­sites they could deface. In this first go-around, over 1.5 mil­lion Word­Press pages were defaced across 39,000 unique domains.

In Feb­ru­ary, the same REST API issue was again exploit­ed on Word­Press web­sites.

Web secu­ri­ty firm Site­Lock dis­cov­ered this sec­ond wave—and fresh moti­va­tion on the part of hack­ers. The deface­ments includ­ed ads direct­ing traf­fic to a phar­ma­ceu­ti­cal sales web­site pitch­ing erec­tile dys­func­tion cures. Site­Lock has post­ed guid­ance on how to restore nor­mal func­tions for any web­sites hit by these attacks.

Nev­er too small to be a vic­tim

Tony Perez, Sucuri co-founder and CEO

In the eyes of Sucuri co-founder and CEO Tony Perez, SMBs fail at secu­ri­ty because they are “the fur­thest thing from being proac­tive.” Neill Feath­er, Pres­i­dent of Site­Lock, agrees. He thinks SMBs suf­fer from an atti­tude of “I’m not big enough, and no one is inter­est­ed in attack­ing me.”

Ulti­mate­ly, this atti­tude will lead to an SMB’s down­fall. The real­i­ty is that over 80 per­cent of attacks are tar­get­ed at busi­ness­es with few­er than 100 employ­ees. Get­ting attacked is an even big­ger issue for SMBs than it is to large enter­pris­es. Accord­ing to Feath­er, if an SMB gets attacked, 60 per­cent of its cus­tomers won’t return. While a large cor­po­ra­tion may have the reserves to han­dle this, the imme­di­ate finan­cial impact on a small- or medi­um-size busi­ness can be dev­as­tat­ing. “It can be the dif­fer­ence between sur­vival and not being open the next day,” Feath­er says.

Neill Feath­er, Site­Lock pres­i­dent

Refrain­ing from using a pop­u­lar con­tent man­age­ment plat­form such as Word­Press is not the answer to bet­ter pro­tec­tion. Accord­ing to Feath­er, “Inher­ent­ly, it is no more vul­ner­a­ble than any oth­er soft­ware. Get­ting away from pop­u­lar soft­ware doesn’t make you less vul­ner­a­ble. If you’re in the indus­try, you see vul­ner­a­bil­i­ties on almost every site-build­ing soft­ware.”

SMBs can’t let their guard down

Instead, keep­ing soft­ware updat­ed is cru­cial, par­tic­u­lar­ly in the wake of these attacks. Thou­sands of web­sites could have been pro­tect­ed from deface­ment if they had only updat­ed to the lat­est ver­sion of Word­Press in the week­long win­dow between Word­Press releas­ing the patch and releas­ing the news. But many own­ers weren’t even aware that they need­ed to update their soft­ware.

Edu­ca­tion, how­ev­er, pro­vides the key to bet­ter pro­tect­ed SMBs. Secu­ri­ty firms like Site­Lock and Sucuri are going to greater lengths than ever to edu­cate SMBs on the very real risks their Word­Press web­sites face.

Perez advis­es SMBs to keep sites secure with effec­tive main­te­nance and admin­is­tra­tion. This includes reg­u­lar­ly updat­ing plu­g­ins and themes, per­form­ing back­ups, and enforc­ing strong pass­words. Word­Press admin­is­tra­tors need to imple­ment these and oth­er secu­ri­ty con­trols. He adds, “The best secu­ri­ty lever­ages a lay­ered approach, com­bin­ing tools and process­es that cov­er all three ele­ments of web­site secu­ri­ty: pro­tec­tion, detec­tion and response.”

Secu­ri­ty worth mon­ey spent

Sucuri appeals to SMBs by keep­ing the cost of secu­ri­ty affordable—its basic plan is priced at $16 per month. For a small busi­ness, the avail­abil­i­ty of its site is crit­i­cal to the bot­tom line of the busi­ness. If its web­site goes down, the busi­ness goes with it. The expen­di­ture is eas­i­ly jus­ti­fied when cal­cu­lat­ed against the dol­lars lost in an attack. Busi­ness­es can have peace of mind that its web­sites are pro­tect­ed and sup­port­ed when they need it most—during a secu­ri­ty inci­dent.

Mean­while, Site­Lock is set up as a one-stop shop for web­sites as well as web app secu­ri­ty and com­pli­ance. With round-the-clock threat man­age­ment, it pro­vides SMBs the abil­i­ty to see more mal­ware vul­ner­a­bil­i­ty and attack data than almost any oth­er secu­ri­ty provider.

To attract SMBs, Site­Lock works with part­ners such as GoDad­dy, Blue­host and Host­ga­tor to make it clear that just like host­ing, secu­ri­ty doesn’t have to be expen­sive. But now it has stepped things up a lev­el and is doing its best to push con­tent out even far­ther via blog posts, social media, sem­i­nars and con­fer­ences.

A third alter­na­tive, WP Man­aged Secure pro­vides a secu­ri­ty man­aged solu­tion and takes care of all the chal­lenges that come with man­ag­ing Word­Press sites such as updat­ing plug-ins, core updates and bro­ken links. Oth­er ven­dors include Code­Guard and Vault­Press.

With 24/7, 365 sup­port and pro­tec­tion, SMBs can have the peace of mind to focus on their busi­ness rather than hav­ing to wor­ry about the secu­ri­ty of their Word­Press web­sites.

More sto­ries relat­ed to web­site secu­ri­ty:
As threats mul­ti­ply, more com­pa­nies out­source secu­ri­ty to MSSPs
Net­work defens­es leave intrud­ers with no place to hide
SMBs should start with sim­ple solu­tions to man­age secu­ri­ty risks


Posted in Data Security, Featured Story