Designing and building a website is a big undertaking – you spend months working with your agency, managing stakeholders, feedback, expectations, go-live – by the end of it you’re happy it’s all done and dusted, but of course you then have to keep the content relevant and new, manage leads, social cross linking… let’s be honest, it never really ends.
But one thing that we see businesses neglecting or, just (understandably) not being aware of is the need for security and maintenance of their website, especially those built on the WordPress platform. Without a well maintained and properly protected website, it’s not a matter of if your site will be compromised, but when.
In this two part series, we will examine some of the key considerations for WordPress security that you can take into your own hands.
It’s worth firstly noting that WordPress isn’t inherently less safe than other platforms, but it does need to be carefully managed simply because it’s one of the most popular content systems. And like anything with a large user-base in today’s day and age, that’s where the “hackers” focus their efforts. Spending time with some of the world’s leading WordPress developers and security experts at a recent conference, the team at Driven gained further insight into some of the many ways your website can be compromised. While there’s a considerable list, many of those fall into the hands of your agency, developer, and / or hosting provider. Below are some of the most common vulnerabilities that website owners (you) should be keeping in mind when reviewing and maintaining your WordPress site.
We’re all guilty of using one basic password in more than one instance as it’s difficult to remember multiple passwords, and it’s impossible to remember the suggested passwords created at random when you make a new account on a new website or app. However, using the same password across more than one account is extremely risky for you and your business – and chances are that, if you do this, it’s just a matter of time before your details are exposed and sold, to then be exploited by bad people.
Here’s an unfortunate yet common scenario: let’s say you use the same password for your email address as you do for your LinkedIn account, and for your WordPress website login you just use the same email address but you thought to yourself “maybe I should keep this password a little different for the sake of safety”. Like most people, you don’t change your email password too often because, let’s be honest, it’s a pain. Back in 2012 LinkedIn’s database was breached by Russian hackers, exposing 6.5 million users’ passwords. The hackers then made this database of passwords (with your login email address) available either for free or, in some cases, to purchase. Someone gets their hands on your details, and now has access to your email account (because remember, you used the same one for LinkedIn). They already have access to two major accounts, with personal and confidential details, conversations etc. The bigger issue here, apart from all the horrible things they can already do with even just access to one account, is they have a way of verification control and they can say they are you.
As per the scenario above – let’s assume you just use the same email address for your WordPress site, but the password is different. The hackers look at your LinkedIn profile, they see which company they work for and simply go to the URL of your website and add /wp-admin to the end. They’re prompted with a login to the WordPress system, and they go to enter your exposed details from the LinkedIn breach – but you thought ahead! They can’t log in because you decided in advance to choose a different password. Unfortunately, like almost every single login form in existence, websites and app makers understand we have a lot of passwords or that we forget them over time, so they all have that little “Forgot password?” link below them, and the majority of the time it’s just a case of simply entering your email address to get sent a new password… and as you guessed it, they have access to that email address.
They now have full control over your business’ (or the business you work for’s) website as well. It doesn’t take much imagination to figure out what can happen once someone has access to this type of platform – apart from all the various types of public damage to a brand that can be caused be having complete control over the content, design, and what the site does when a normal user then tries to view it – the hackers can also lock everyone else out of the site making it difficult, or impossible to regain control. It’s possible in some cases for your developer or hosting provider to completely shut down the site, but that alone is already a huge issue – and then there’s the question of whether or not they or you have been making regular backups, and if not, there is no way to restore a previously working version of your site.
The above is just an partly made up scenario, but we have experienced almost the identical situation happening with our clients – the LinkedIn breach is just one example, but this type of mass exposure of passwords, email addresses and personal details is far more common than most people think. A Queensland man by the name of Troy Hunt created a website that allows you to enter your email address to see if, at any point in the past few years, has been exposed via one of these breaches. Check both your personal and work email addresses against this database to see if they have ever been exposed and take action as needed (see below). You’d be surprised to find that in most cases, your details have been exposed at some point in the last few years.
So you’re probably asking “what can I do?!” – the answer is relatively simple, but you may not like it. In our opinion there’s two important measures that you should really try and implement as soon as possible:
1. Use a Password Locker + randomly generated passwords: Password lockers are fairly self-explanatory, and you’re probably using them in some form or another with your mobile devices (e.g. iCloud Keychain) or your computer’s operating system. They’re usually cloud-based services that store all your passwords for you, and will more often than not generate your new passwords for you too. This is useful because it solves a couple of issues that we have:
a) coming up with hard to guess (impossible really) passwords for your accounts, and
b) not needing to remember these since most of these password lockers offer some form of integration with your favourite operating systems or web browsers.
There are a variety of offerings available for password lockers such as LastPass, Dashlane, 1Password, Keeper and many others. Some are free and are great for personal use, but you should ensure that if you’re implementing this across your business, that you find one that allows for a solid foundation of password sharing, team / user managing and control, and works across the technology (operating system/s, browsers etc.) that your business uses. We use LastPass here at Driven, and it has proved to be a great way of keeping track of all our business logins, and it generates unique passwords for each new account we create.
2. Two Factor Authentication (2FA): So how do you protect your password locker? You’re probably thinking that the above tool is all good in theory, but you obviously need to password protect… your passwords. How do you stop someone getting that password and then gaining access to all others? Well firstly, we would recommend making sure that whatever password you use for this purpose is only used for your password locker, and absolutely nothing else. But let’s just pretend for a minute that your password for your locker was somehow discovered and a hacker tries to log in to your account.
You can prevent this from happening, especially on a new device or browser IF you have something called Two Factor Authentication (also known as 2FA, two-step verification, or dual factor authentication) enabled. This simply puts a verification step between the correct details being entered, and actually gaining access to the system. It will most commonly require either an email link, SMS code, or other type of verification code to be entered along with the correct email address and password. This ensures that you are the one trying to gain access to the account, and while it means there’s just one more thing to do – it is one of the most effective ways of protecting yourself against unwanted intrusions and account access.
This of course isn’t just for your password locker, so it should be implemented across all logins where you can. Most platforms offer it as a feature these days (Gmail, Amazon, etc.) – you just have to go into your settings regarding privacy and security and enable it. Our recommendation is to avoid using SMS verification if possible, since this relies on your phone number which, as it turns out, is also easy for hackers to get access to. Without going into too much detail, apparently a simple convincing phone call to your telco with the request of “I’ve lost my phone and got a new SIM card, can you please port my number” can be enough. We suggest listening to this episode of Reply All for a lot more insight into the topic and what can happen to your personal account and data when the wrong people get their hands on it. We tend to use an authenticator app (Google Authenticator on Android or iOS) which generates timed codes like the old early online banking days, which you enter along with your login details.
So how does this relate to your WordPress site? In case it’s not clear – your site more than likely uses a simple username (email) and password form of authentication. In today’s landscape this isn’t enough. Most of our clients’ websites use the free version of WordFence at the least to have a basic additional layer of monitoring and security, and while it does a lot out of the box for free, it will only take you so far. Apart from full scanning, removal of malware, IP blocking (more on that later), and other security useful features, WordFence Premium offers Two Factor Authentication as an option. We’ve been working with clients on purchasing this version of the plugin, and mandating 2FA for all WordPress users of the site. Along with the proper use of a business or team password management tool, you are greatly minimising the chances of unwanted access to your site (and everything else).
Part 2 of our WordPress security review will look at other types of vulnerabilities that you as a site owner should be aware of, and what you can do to help minimise the risk and protect yourself against these problem areas, so stay tuned.