WORDPRESS DEVELOPMENT & SUPPORT

LimeSock

WordPress Development

WordPress Security Audit

Hacking websites used to be about having fun and bragging rights. Today hacking is all about financial gain by extorting money from victims, since the benefits far outweigh the risks. Only a very small number of hackers get caught which is why cybercrime is now a very lucrative business.

Cybercrime, which includes everything from theft or embezzlement to data hacking and destruction, is up 600% as a result of the COVID-19 pandemic. Nearly every industry has had to embrace new solutions as the risk of being hacked elevates.

Most people and small businesses don’t think they will ever be victims of cybercrime and it only happens to big business. While this may appear to be true, you simply won’t hear about a small business in the news. and completely underestimate the potential damage that can be done once their website is hacked.

As of 2022, there are about 1.4 billion total websites on the web. More than 455 million sites use WordPress. That is a fair chunk of the market

Let’s take a look at the WordPress facts and figures compiled by WP Clipboard.

  • As of 2022, there are about 1.4 billion total websites on the web
  • More than 455 million sites are built on WordPress
  • Due to its popularity and widespread use, WordPress is a common target for hackers. There are close to 90,000 attacks per minute.
  • WordPress websites are particularly vulnerable when they’re not regularly updated. 61% of attacked websites are outdated.

With this many attacks it’s only a matter of time before your site gets targeted by hackers. If your site is vulnerable, hackers will eventually compromise your site.

What can happen when my website gets hacked?

Hacking is much like mining for gold. In some cases hacking a site is of very little benefit, but more often than not it is a goldmine with the opportunity to make lots of money. Once hackers get their foot in the door so to speak, they will quickly elevate their efforts to make it worth their while. This includes:

  • Injecting malware into your sites pages so your site becomes a springboard for hacking other websites by using phishing techniques.
  • Injecting malware into your website’s  contact forms and forge emails on behalf of your organisation
  • Once they gain access to your email they can gain access to you PC, Phone, Tablet and other devices.
  • Once they have control of your devices they can gain knowledge of your your online services and steal your credentials.
  • Stealing you online credentials they can send forged emails to your clients and divert your bank account details
  • They can steal your data from cloud and online services and encrypt your company data then ask for a ransom.
  • They can steal your identity and sell your data on the dark web.

All of the above can happen very quickly and in most cases you will never know its happening until it’s too late. Hackers use sophisticated tools to cover their tracks by using VPN services, hopping from country to country covering their footprints so they rarely get caught. They don’t care what damage they do to their victims of have any remorse for their actions because it’s purely about money.

Law enforcement agencies simply won’t have the resources to assist you, and with no legal jurisdictions and geopolitical factors, it seems cybercriminals just have everything in their favor. Of the odd breakthrough you hear on the news, these are usually isolated to very large corporations where the impact is likely to be in the millions and impacting on a large number of the population. Even if hackers are prosecuted, the damage done is usually unrecoverable. If a ransom was requested and paid, the chances of ever recovering your money is practically zero. Your brand and reputation will suffer and so many victims plunge into the depths of despair.

If you didn’t do all you could to prevent the hack, you then face lawsuits and government penalties. The road to recovery may be unachievable. You should do all you can to prevent and reduce the risk of being hacked.

Why should you audit your website for security?

WordPress is a content management system (CMS) that allows you to build fully featured websites. Like any software WordPress must be kept secure and updated. WordPress periodically release updates and fixes. Each update or release fixes bugs, add new features, improves performance, or enhances existing features to stay up to date with new industry standards. When you do not update your WordPress site, you are risking your website security and missing out on new features / improvements.

WordPress is also built on plugin architecture and a template system. This plugin architecture is what makes WordPress so powerful as you can build a site to fit your business with very little investments. But with this power comes great risk as these themes and plugins must also be kept secure and updated. Plugins and themes are most often built by 3rd parties, so the operations of your website will become dependent on many different vendors and developers.

And with many different vendors and developers this creates other problems. Not all vendors and developers are equal. There are just as many poorly developed plugins as there are good quality ones. How do you know the difference?

Let’s take a look at the WordPress facts and figures compiled by WP Clipboard.

  • 52% of WordPress vulnerabilities are caused by out of date plugins.
  • 37% are caused by WordPress core files.
  • 11% are caused by outdated WordPress themes.
  • 8% of WordPress sites are hacked due to weak passwords.

As you can see, it’s all about software. On a typical website there are millions of lines of code. Written by humans from all walks of life, mistakes and oversights are a given.

How do I ensure security in WordPress?

So to maintain the highest level of security there are a number of things to address:

  1. Ensure your hosting is secure, using the latest PHP versions, PHP Modules and MySQL and a hosting company that focuses on security. Secure hosting does not come cheap so don’t be price driven when it comes to hosting.
  2. Ensure WordPress core maintained and actively updated and configured correctly
  3. Ensure that your theme is secure and maintained
  4. Ensure that your plugins are secure, supported and actively maintained. How many plugins are there? What is the quality of the software?
  5. Ensure that you adopt a user security policy, strong passwords, two-factor authentication etc

Since most small business owners don’t have the technical knowledge or financial resources to have their own security teams, they are often an easy target for spammers and hackers. Their websites tend to be vulnerable because they don’t get regularly upgrade their technology and often use easy to hack passwords.

Given the abundance of security tips you can find online, you might be fooled into thinking you can handle security on your own. And in some cases, this can be true if you have the technical knowledge.

How can I get help?

If you have a Website Developers says that they are looking after your website, get a 2nd opinion.  In my experience most tech-savvy WordPress users and developers fall short on advanced security techniques. If you have a Website Designer looking after your site, that’s even worse as most Website Designers are creative people who fall short on even the most basic security techniques.

If you have nobody looking after your site, this is a big red flag. Most websites will require some software updates at least on a weekly basis.

If you have just had a new website built, don’t be fooled into thinking it should be secure because it was just built.

How much does it cost to audit a website?

Only a WordPress security professional knows where and how to look for potential vulnerabilities.  Only a WordPress security professional knows how to conduct a security analysis of your site to help protect your site from all sides.

 

Copyright © 2010-2024 LimeSock. All righst reserved.