Cybersecurity Breaches Powered by WordPress: Part One of Our Cybersecurity Blog Series

Over the last year, the COVID-19 pandemic has forced us to isolate ourselves from our work, family and friends. Technology has been the saving grace for millions of people across the world. Whether it’s to run a business remotely or learn to convert your spare room into an office, to source food options from online grocery deliveries and ordering apps, getting your medication delivered to your door or replacing family functions with video calls, we’ve seen an unprecedented demand for digital technology. Unfortunately, cybercriminals enjoy a good global crisis and have found ways to exploit our increased demand for digital interactivity and online shopping demands. Home-workers using non-secure private networks have created new access portals to cyber threats, viruses, malware and phishing attacks.

The FBI's Cyber Division has reported that the number of threats has reached 4,000 per day, a 400% increase since the pandemic started, part of which include high-profile ransomware attacks (PRNewsWire, 2020). Ransomware attacks consist of an individual or group of cybercriminals who take control of your computer data or network until a ransom is paid. These types of attacks have surged during the pandemic to new levels. Many of these pandemic hackers have gained control of top companies' systems until their hefty ransoms are fulfilled. However, these cybersecurity attacks are not restricted to the US. A rising number of ransomware attackers have set up leak sites specifically to post stolen data worldwide. According to PWC, (2020) over 150 global organisations have had their data published on these leak sites with the overwhelming majority (80%) leaked after 23 March, 2020 when the first lockdown began in the UK.

PWC believes the increase in cyber incidents as a whole can be attributed to several reasons including:

• Espionage actors operating for governments (like Russia and North Korea) with economic interests at play or increased geopolitical tensions.
• A reduction in spending from consumers, meaning that groups that traditionally go after credit card details need to find new income sources.
• Organised crime groups see the current situation as an opportunity to target organisations in desperate situations.
• Increased, high-profile recruitment within ransomware affiliate programmes. This has triggered growth in the number of actors and affiliates who participate in their programmes and a general increase in identifying vulnerabilities, partly attributed to rapidly implemented remote working practices.

With so many areas of cybersecurity to focus on, we thought you would find our cybersecurity blog series a useful guide to what these threats can mean for multiple web properties and devices. Given their widespread popularity, Part One kicks off with a focus on WordPress websites and how cybersecurity threats affect small to medium-sized businesses and the everyday WordPress owner. In this blog we aim to answer these core questions: When the threat of cybersecurity risk is so high, what is the true cost of using WordPress and, is it really free?”

The true costs of using WordPress

For those unaware of the ‘free’ open-source Content Management System (CMS), WordPress powers over 40% of all websites online and is the fastest growing CMS, with around 500+ new websites being set up daily (codeinwp, 2020). However, WordPress is also the most hacked CMS on the market with roughly 90,000 attacks on a WordPress site every minute. Of these attacks, 52% of the vulnerabilities reported by WPScan are caused by WordPress CMS plugins, TimThumb, Revslider, and Gravity Forms ranking as the highest hacked on the roster. Other vulnerabilities have been attributed to additional compromises in cross-site scripting (XSS), themes and core files. To say that WordPress in the wrong hands is just about as secure as the Wild West would be an understatement.

These cybersecurity threats are primarily due to amateur coders who know how to code PHP but may not possess the expert skills to keep their code secure. For those of you who have worked with a WordPress theme or inherited a less than functional one from a friend or relative looking to fix more than just a few lines of broken code, you already understand that this CMS is not consistent, and that each website works in different ways. All it takes is one plug-in to become infected and then the website is an open door. At Arishi, when we work on a Magnolia project, we assign well trained staff and have them follow the consistent structures and processes the CMS provides and, in the end, have a beautiful, functional and secure website. With WordPress, we often need our senior developers to secure parts of the system.

We understand that the cost of creating a WordPress website versus a more robust CMS-driven website can amount to a few thousand pounds per annum. Yet, time and time again, we work with clients who have come to us for help after they hired someone else to create a WordPress website that looks attractive and works well as a marketing tool and is hosted on a low cost server. What they did not know before they started their web development and hosting project was that lower cost hosting packages are unmanaged and unmaintained and in order to fight off cybersecurity threats, they need to be managed more than any other CMS. Many people believe that once a website goes live and they continue to pay for the out-of-the-box web hosting that came with their domain purchase, they are safe from security breaches, but this is not the case.

Online hackers have tools that look for websites that are easily exploitable. These hackers will steal information from the sites, deface them for fun, or use the website to create link bait for their own websites. One of our clients came to us after their WordPress site was hacked with link bait pages. Google did not spot this issue and continued to index these secret pages as backlinks that increased the hacker's web ranking on Google. Hackers hang out in forums around the web to learn about vulnerabilities in WordPress and then prepare for attack.

The WordPress plugin, WooCommerce, accounts for roughly 25% of all online stores, so it comes as no surprise that cybercriminals continually attempt to steal credit card information from unsuspecting web owners.

To combat this, we recommend getting an expert to review your plugins and web server configuration. You should also ensure that an experienced developer constantly maintains the website and servers it runs upon using the most secure version of the software. Passwords for the administrator and online shop should be updated regularly. We like to analyse traffic to the site and implement a system in the server so that if someone from a given location has either got a password wrong five times or has made multiple attempts to access protected resources, they are added to a block list that stops them from returning. This also reduces the performance impact on the site.

When it comes to securing a WordPress website, many people tend to disregard the appropriate security measures until it is too late and infection occurs. With the cost of entry for developing and hosting a WordPress website appearing cheap, or even free, it is no wonder why millions of website owners overlook the true costs of owning an insecure web operation. Investing in a more robust CMS, or at the very minimum, commissioning the right developers, is vital to securing your business website, no matter how big or small the operation. With these measures, you can prevent unnecessary security breaches and be reassured that your company and your customer information is protected. So, to answer the million-pound question, no, a functioning and secure WordPress website will never be free.

If this blog didn’t make you want to reset all of your passwords and rethink your security measures, we don’t know what will. We hope you enjoyed part one of our Cybersecurity Blog Series. Stay tuned for our next Cybersecurity piece on the cyber threats facing the Internet of Things (IoT) devices and get in touch if you have a question about cybersecurity.