Using WordPress? Security services can significantly ease worries about being hacked
SMBs can counter fast-moving attackers by outsourcing specialized support, protection needs
By Melanie Grano, ThirdCertainty
Tens of thousands of organizations, many of them small- and medium-size businesses, had their WordPress websites defaced in two waves of attacks earlier this year.
It was a profound wake-up call, again reinforcing why companies that rely on inexpensive, widely distributed tools and services, such as WordPress, need to stay on top of security best practices.
Businesses are more networked than ever and that means they are more vulnerable than ever. In many cases, SMBs do not have the resources to operate a security system in-house, so working with a managed security services partner can make things a lot easier.
In the WordPress hack in January, web security firm Sucuri discovered a severe vulnerability in the REST Application Programming Interface (API) and reported the flaw to WordPress.
The issue was patched with the release of WordPress 4.7.2 on Jan. 26, but the problem was not publicly announced for a week in order to give website owners time to update their software. But all too many failed to carry out the update.
A frenzy began among hackers looking for bragging rights about how many websites they could deface. In this first go-around, over 1.5 million WordPress pages were defaced across 39,000 unique domains.
In February, the same REST API issue was again exploited on WordPress websites.
Web security firm SiteLock discovered this second wave—and fresh motivation on the part of hackers. The defacements included ads directing traffic to a pharmaceutical sales website pitching erectile dysfunction cures. SiteLock has posted guidance on how to restore normal functions for any websites hit by these attacks.
Never too small to be a victim
In the eyes of Sucuri co-founder and CEO Tony Perez, SMBs fail at security because they are “the furthest thing from being proactive.” Neill Feather, President of SiteLock, agrees. He thinks SMBs suffer from an attitude of “I’m not big enough, and no one is interested in attacking me.”
Ultimately, this attitude will lead to an SMB’s downfall. The reality is that over 80 percent of attacks are targeted at businesses with fewer than 100 employees. Getting attacked is an even bigger issue for SMBs than it is to large enterprises. According to Feather, if an SMB gets attacked, 60 percent of its customers won’t return. While a large corporation may have the reserves to handle this, the immediate financial impact on a small- or medium-size business can be devastating. “It can be the difference between survival and not being open the next day,” Feather says.
Refraining from using a popular content management platform such as WordPress is not the answer to better protection. According to Feather, “Inherently, it is no more vulnerable than any other software. Getting away from popular software doesn’t make you less vulnerable. If you’re in the industry, you see vulnerabilities on almost every site-building software.”
SMBs can’t let their guard down
Instead, keeping software updated is crucial, particularly in the wake of these attacks. Thousands of websites could have been protected from defacement if they had only updated to the latest version of WordPress in the weeklong window between WordPress releasing the patch and releasing the news. But many owners weren’t even aware that they needed to update their software.
Education, however, provides the key to better protected SMBs. Security firms like SiteLock and Sucuri are going to greater lengths than ever to educate SMBs on the very real risks their WordPress websites face.
Perez advises SMBs to keep sites secure with effective maintenance and administration. This includes regularly updating plugins and themes, performing backups, and enforcing strong passwords. WordPress administrators need to implement these and other security controls. He adds, “The best security leverages a layered approach, combining tools and processes that cover all three elements of website security: protection, detection and response.”
Security worth money spent
Sucuri appeals to SMBs by keeping the cost of security affordable—its basic plan is priced at $16 per month. For a small business, the availability of its site is critical to the bottom line of the business. If its website goes down, the business goes with it. The expenditure is easily justified when calculated against the dollars lost in an attack. Businesses can have peace of mind that its websites are protected and supported when they need it most—during a security incident.
Meanwhile, SiteLock is set up as a one-stop shop for websites as well as web app security and compliance. With round-the-clock threat management, it provides SMBs the ability to see more malware vulnerability and attack data than almost any other security provider.
To attract SMBs, SiteLock works with partners such as GoDaddy, Bluehost and Hostgator to make it clear that just like hosting, security doesn’t have to be expensive. But now it has stepped things up a level and is doing its best to push content out even farther via blog posts, social media, seminars and conferences.
A third alternative, WP Managed Secure provides a security managed solution and takes care of all the challenges that come with managing WordPress sites such as updating plug-ins, core updates and broken links. Other vendors include CodeGuard and VaultPress.
With 24/7, 365 support and protection, SMBs can have the peace of mind to focus on their business rather than having to worry about the security of their WordPress websites.
More stories related to website security:
As threats multiply, more companies outsource security to MSSPs
Network defenses leave intruders with no place to hide
SMBs should start with simple solutions to manage security risks