Kathy Zant – Why Hackers Target Small Business Websites

by | Mar 22, 2024 | Meetup News | 0 comments

Learn what you can do about hackers targeting your website and why they do it.

ABOUT THE PRESENTATION

Often people ask why hackers are targeting their seemingly unexciting small business websites. And yet, these smaller websites are often receiving the brunt of malicious attacks.

Hackers understand economies of scale. As such, smaller WordPress sites are always under attack by bots looking for signs of vulnerability. Fortunately, there are a number of easy ways to protect your site by making good security decisions.

We’ll go through some of the most common methods hackers use to get into WordPress sites through some entertaining (and sometimes scary) stories.

You’ll learn key security principles to help you make good decisions to prevent intrusions, detect them, and recover from a security event if you are ever compromised.

ABOUT THE PRESENTER

Kathy Zant is an internationally recognized speaker on security, marketing, and data-driven website development. She’s spoken at countless events worldwide, both online and on stage, and she’s been an organizer for both WordCamp Phoenix (twice) and WordCamp US. A frequent guest on numerous podcasts about WordPress and emerging technologies, she is also co-host of The Kadence Beat, Do the Woo, and WPMotivate, and is a frequent co-host on This Week in WordPress. An Executive Producer of Open, the open-sourced documentary about the WordPress community, she is passionate about your stories and believes everyone’s voice deserves to be heard.

SUMMARY

WordPress has become one of the most popular content management systems (CMS) in the world, powering millions of websites. However, with its popularity comes the attention of hackers who are constantly seeking vulnerabilities to exploit. In a recent presentation on WordPress security, Kathy Zant shed light on the risks faced by small businesses and the proactive measures that can be taken to protect against cyber threats.

The Vulnerability of Small Businesses

Hackers often target small businesses because they perceive them to have lower security measures compared to larger companies. Automated scripts are used to scan for vulnerabilities across numerous sites, making it easier for hackers to identify potential targets. One common method employed by hackers is to exploit software vulnerabilities, such as the recent vulnerability found in the Bricks page builder. These vulnerabilities provide hackers with an easy way to compromise multiple sites quickly.

The Consequences of Inadequate Security

The consequences of a security breach can be devastating for small businesses. Data breaches not only result in financial losses but can also lead to fines for non-compliance with Payment Card Industry (PCI) regulations. Additionally, a breach can severely damage a company’s reputation, potentially leading to a loss of customers and revenue. In fact, statistics show that 60% of small businesses fail within six months of experiencing a breach. It is clear that investing in robust security measures is essential for the long-term success and survival of small businesses.

Proactive Security Measures Against Hackers

Implementing proactive security measures is crucial for safeguarding your WordPress site. Regular security audits, backups, updates, and incident response planning are essential components of a comprehensive security strategy. By staying ahead of potential vulnerabilities, small businesses can reduce the likelihood of a breach and its associated consequences. Moreover, proactive security measures have been shown to have a positive impact on business outcomes, such as increased sales and profits.

The Power of Strong Authentication

One key aspect of WordPress security is ensuring the strength of user authentication. Using unique and complex passwords for all user accounts is critical. Moreover, two-factor authentication adds an additional layer of security by requiring a second form of verification, such as a code sent to a mobile device. Emerging authentication methods, such as passkeys, show promise in providing even stronger security measures.

Principle of Least Privilege

Adhering to the principle of least privilege is another important security practice. This principle involves giving users only the necessary access levels, minimizing the potential damage that can be caused in the event of a breach. By limiting access rights to only what is essential, small businesses can effectively mitigate the risks associated with unauthorized access.

The Importance of Regular Updates

Keeping all software updated is a fundamental requirement for maintaining a secure WordPress site. This includes regularly updating plugins, themes, core files, and even web browsers. Outdated software can contain known vulnerabilities that hackers can exploit. Removing unused plugins and themes further reduces the attack surface, minimizing the risk of a breach.

The Critical Role of Backups

Backing up your WordPress site is an essential part of any security strategy. However, it is crucial to not only perform regular backups but also to test the restoration process. Storing backups securely off-server is recommended, as assuming on-server backups are compromised during a hack ensures that data can be recovered even in the event of a breach.

Leveraging Security Plugins and Services

Utilizing WordPress security plugins can provide an extra layer of protection for your site. Plugins like Solid Security offer features such as file monitoring and passkeys, enhancing the overall security posture of your WordPress installation. Additionally, services like Cloudflare can provide both security and performance benefits, further safeguarding your site against malicious activities.

Device Security and Site Isolation

It is important to recognize that compromised devices can pose a significant threat to your WordPress site. Cookie and session theft can occur if a user’s device is compromised, making it crucial to keep computers and other devices patched and updated. Whenever possible, sites and functionality should be isolated to minimize the potential impact of a security breach.

The Ongoing Importance of Security Audits

Security audits should not be seen as a one-time event but rather as an ongoing process. Conducting regular audits, approximately every three months, helps to identify and address new vulnerabilities that may have emerged since the last audit. Staying vigilant and continuously educating yourself on the latest security best practices is essential for maintaining the security of your WordPress site. Resources such as newsletters and YouTube channels dedicated to WordPress security can provide valuable insights and guidance.

Conclusion

In today’s digital landscape, the security of your WordPress site is of utmost importance. Small businesses, in particular, are targets for hackers due to perceived vulnerabilities. By implementing proactive security measures, such as regular audits, backups, and updates, small businesses can mitigate the risks associated with cyber threats. Strong authentication practices, adherence to the principle of least privilege, and the use of security plugins and services further enhance the security posture of your WordPress site. Remember, investing in security now can save your small business from the devastating consequences of a breach in the future. Stay informed, stay protected, and ensure the long-term success of your online presence.

RESOURCES

TRANSCRIPTION

Rob Watson:
Welcome, everyone, to the third Thursday meetup of the West Orlando WordPress meetup group. I’m Rob Watson, a co-organizer and host. West Orlando WordPress is an official WordPress meetup group affiliated with the WordPress Orlando and WordCamp US meetup groups. Often people ask why hackers are targeting their seemingly unexciting small business websites, and yet these smaller websites are often receiving the brunt of malicious attacks. Hackers understand economies of scale. As such, smaller WordPress sites are always under attack by bots looking for signs of vulnerability. Fortunately, there are a number of easy ways to protect your site by making good security decisions. We’ll go through some of the most common methods hackers use to get into WordPress websites through some entertaining and sometimes scary stories. You’ll learn key security principles to help you make good decisions to prevent intrusions, to attack, and to protect. You’ll learn how to hack them and recover from a security event if you are ever compromised. Kathy Zant is an internationally recognized speaker on security, marketing, and data-driven website development. She’s spoken at countless events worldwide, both online and on stage. And she’s been an organizer for both WordCamp Phoenix twice and WordCamp US. A frequent guest on numerous podcasts about WordPress and emerging technologies, she is also co-host of the World Wide Web. She is a frequent co-host on This Week in WordPress, an executive producer of Open, the open-source documentary about the WordPress community. She is passionate about your stories and believes everyone’s voice deserves to be heard. At this point, I’d like to invite everyone to mute their microphones for the presentation. Kathy, thank you for being our presenter this evening. The time is now yours.
Kathy Zant:
Awesome. Wow. Thank you for that. That was a wonderful introduction. I am so excited to be here. And if you guys ever wanted to, like, say, I am so lucky, you are joining a security talk on a very exciting day in WordPress security. There has been so much happening today, and we’re going to use some of the news of what has been happening over this week to sort of exhibit and as an example of what happens with WordPress security, because this has been kind of one of those banner weeks. It happens every once in a while. Major vulnerability is discovered, and hackers get busy exploiting it. So a couple of days ago, Bricks, the Bricks builder, vulnerability was found. The security researcher, Calvin Alkin, reached out to the developers, let them know what he had found. They patched everything. But because of the nature of the vulnerability, hackers look for these things. They look for the ripest fruit. They look for the easiest exploits. And when they find something that’s super easy to exploit, they get very busy. This was a very easy to exploit vulnerability. It is an unauthenticated, meaning you don’t have to log in. You don’t have to have a subscriber account or any kind of other account to exploit this. Anybody can exploit it. And it’s a remote code execution vulnerability. So you can put a script on any server anywhere in the world. A hacked server, perhaps. Perhaps you’ve been hacked previously. And make a call to a vulnerable website. And it goes and gets that hacked script. And boom, that site is hacked. It’s super easy to do. And as soon as that patch was applied, hackers got busy. So we’re seeing attacks happening right now. The Bricks group on Facebook is extremely busy with people trying to figure out what the heck’s going on and how did this happen so fast. Today, Quickly. Today, Quickly. Today, Quickly. Today, Quickly. other page builder has a similar vulnerability. This one can only be exploited if you have a contributor or higher account. So it’s not going to be exploited as widely, but it’s a very similar type of vulnerability. So lots happening right now in the WordPress security space. And today, let’s talk about this. Let’s figure out what’s going on. Why are hackers targeting small business websites? And what can we do about it? You know, a lot of people that I’ve talked to about WordPress security, they’re like, it’s just my cat blog. It’s just my blog. It’s just my small business. I’m insignificant. Why are they targeting me? And we’re seeing that today. There’s lots of people in the bricks group who are like, why? Why is this happening to me? How do they know that I’m running bricks? How do they know that I have a vulnerable plugin or theme on my site? Why? And I don’t know. I don’t know. I don’t know. I don’t know. I don’t know. I don’t know. I don’t know. My best answer is it’s spray and pray. They have a script. It’s not Darth Vader who’s doing this, but it’s Darth Vader who’s written a script and has all of his little like script command and control center types of things that are going off and just spraying and praying. And they’re just hitting every website, whether it’s WordPress or not. And if the vulnerability is there, it basically hacks the site, put something on it, and then phones home and says, got one. So they are. They’re looking wherever they can. They know these vulnerabilities are out there. And a lot of hackers are getting lucky today. And it’s really unfortunate. Just some information about me. I’m a former developer. I used to, I was a project manager and then had a hard time getting developers to do what I want them to do. So I taught myself how to code. My first security incident happened in 1999. I inherited a server from a coworker and it got hacked.
Kathy Zant:
So that’s the way everybody gets into security. They get hacked. And then they’re like, okay, I got to learn everything that there is to know about security. So that’s how it happens. I have been the director of marketing at Cadence, where I was also helping iTheme security and Solid Security. I have recently moved on to a new position, but I’ve spent a good part of today watching everything that’s happening in WordPress security. This is something that’s really close to my heart. And so any opportunity that I can have to bring empowerment to you so that you can make better decisions to keep your site safe and to keep your digital life safe, I am going to do it. So who is attacking your small business website? It’s not one person. It’s a script. It’s most of these attacks, whether they are brute force trying to log in as your admin account, or if they are trying to find a vulnerability on your site, these are just scripts. So something gets programmed and they have a database of WordPress sites. They have a database of URLs and they just basically spray and pray and wait for one of those scripts to find something. So it’s not just one guy, but it’s a guy with scripts. And the primary reason why they’re doing it is money. It really comes down to money. They want your server. Even if your site gets no traffic whatsoever, the fact that you have a server, WordPress site and a server that’s live on the internet with resources that can run PHP and other things is very attracted to them. So they want your domain reputation a lot of times if they’re doing spam and they want to run spam links to all of their casino sites and Viagra sites and all of these other things. So your domain reputation is very valuable. They want to use your site for phishing kits so that they can email unsuspecting people that click on a link and it is not flagged. As phishing yet in the Google red screen of death, your domain reputation is still good for a while until Google detects it. They want to put malware on that site and infect computers. They want to put back doors so that they can reinfect things when you think you’ve got your site cleaned. It all boils down to one thing. These people are trying to make money and you have something that’s valuable to them. They can use what you’ve got. So that’s why they’re doing it. Why they’re targeting WordPress? Well, WordPress is powering over 40% of the internet and they understand economy of scale. Like with this bricks vulnerability that is being attacked right now, I don’t have the data, but from things that I’ve seen in the past, this is what they’ll do. So they’ll hack 10 computers or 10 websites. And those 10 websites have server resources. Those IP lists or IPs aren’t on any blacklists. So they can use those. They can use those servers to go attack more servers. So they get these command and control types of situations happening where they have one server that’s telling these other hacked servers what to do. And they understand economies of scale. If they can get a hundred small sites, small servers hacked, it’s as good as having a data center. So they expect you, small businesses, to have less security. Sure, they can go hack the New York Times or, any large publication that is used. They can hack Taylor Swift’s website that uses WordPress. They can hack a large site like that, that’s getting a lot of traffic, put malware on it, and in fact, a lot of computers, but it’s a heck of a lot easier to attack a site like yours. Your site probably doesn’t have as much security as Taylor Swift or the New York Times, right? So it’s a lot easier for them to hack into your small business site. How are they getting in? Well, we have the BRX type of vulnerability, the remote code execution vulnerability. That’s pretty bad. That’s happening right now. That happens every once in a while, a few times, a couple times a year max, I’d say. We get something like this that’s very easily exploitable that we see exploited very quickly, software vulnerabilities. But more often than not, I see a lot of poor authentication, people reusing passwords or passwords that aren’t very good that get brute forced. And then we have lots of situations where people put 30 sites in a cPanel. So you have one site that gets hacked in your cPanel, but you have 30 other sites hosted there. You get 30 hacked sites because all of those sites are running under the same user on the server, running PHP, using the same permission. So if you get one site hacked, you get 30 sites hacked. We’ll talk a little more about that later. The risks to small businesses are pretty significant. especially when you’re doing like e-commerce, right? Now, this statistic came from an AT&T study that 60% of small companies go out of business within six months of falling victim to a data breach or a cyber attack. Just the cyber insurance, all of the issues that you have to deal with. In fact, like if you have an e-commerce site and you are taking credit card payments, the payment card industry data security standards, that’s what PCI DSS stands for. They want you, if you’re dealing with customer card data, to be extremely secure. I’ve seen plenty of WooCommerce sites that get hacked and a JavaScript skimmer is put on the checkout so that as someone is typing in their credit card number, that malicious script is sending that credit card number to the attacker. And yeah. For some reason, I don’t know why, but Visa doesn’t like that. So there’s a lot of risks to small businesses. Plus the fact, if you have a learning management system and you have customers personally identifiable information and an IP address is personally identifiable information, according to cybersecurity standards, you are required by many jurisdictions that if you get hacked, that you need to be able to get out of the system. So if you have a learning management to notify your users that their information has been exposed. GDPR, California, Nevada, I think pretty much all jurisdictions are requiring this now. So if you have an intrusion, there is that step that you have to take. So all these people who have customer information on their sites and are experiencing this breach happening, they have to assume that customer information is being leaked somewhere. And so they have to notify customers if they have customer data on those particular sites. There’s a lot of risks. So you want to protect your site. But AT&T also did a study saying, oh, of course, they’re selling to enterprise, right? So they do all kinds of studies about proactive security practices. They actually found that those companies that have proactive security practices, that they’re actually like doing a interoperability, interoperability, interoperability, interoperability, interoperability, incident response plan, that they are actively putting firewalls and are going through the rigors of security process and procedure, they have better business outcomes. There’s more sales growth, and they have better profit margins. My theory is that if someone is doing those types of going through the rigors of good security practices for their online business, they’re going through good practices with sales and many other things as well. So I think it’s just it’s exhibits a good mindset when you have somebody doing well with security. No active security policies and procedures, 6% sales growth and 3% profit margins, not quite so good. It’s just a mindset. If you’re thinking proactively about your business, it’s going to show up in a lot of different ways. So security is, I think, and WordPress security especially, is a great place for you to look at your business and see what’s going on. And I think it’s a great place for you to learn about security, because the security practices you put in place for WordPress, you’re going to have to start using good security or password policies, two-factor authentication, that trickles over into everything else. So for me, WordPress security is empowerment. If you go through the rigors of good WordPress security, go through a site audit and make sure that you have everything in place that you need in order to secure your WordPress site, you’re going to start thinking about your business and your business. And I think it’s a great place for you to learn about your bank password differently. You’re going to start thinking about how all your passwords are stored. And you’re going to think about maybe how important it is to update Chrome on your computer and making sure that everybody connects to your network is secure because of the trickle-down effect of all of these security issues. Like I said, security is a mindset. Get a good mindset about these things. It’s going to, it’s going to affect everything. I’ve seen a lot of strange security thoughts happening around this whole bricks vulnerability and some really bad advice being given to people. So there’s definitely always going to be more need for security education. And I’m here to do that. So let’s talk about this. Whose responsibility is this? There’s a lot of angry people, angry at the security researcher. Who found this vulnerability, responsibly disclosed it. Why, why do you have to find these things? There’s anger, you know, because there’s people with hack sites and they want to blame someone. They want to blame the bricks developer for, you know, what’s with your, I was going to buy this. And now I think I’m not going to. They, I will say that bricks from everything I can tell responded very quickly to the security report. And that’s something you want to see. In a plugin or theme developer. I’ve seen a lot of plugin developers that don’t respond to security reports or try to obfuscate that there was a security concern in their change logs. You want to work with developers that take security seriously, act quickly to rectify things and get the word out as quickly as possible to patch your sites. But ultimately it’s your site, isn’t it? I’ve got a bunch of sites as well. Security, if it’s your site, if, you know, open source with great power comes great responsibility, protecting WordPress, protecting your business. Ultimately it’s your responsibility. You’ve got a site you’ve got, you’ve got to protect and your business that you have to protect. But knowing the landscape of security and knowing what can be leveraged is going to help.
Kathy Zant:
So planning is really important. I was advised people to plan that you’re going to get hacked. If these people who are going through hacks right now had planned for a hack, they would have backups every few hours, maybe if they have active transactions happening on their site. An incident response plan, planning for a hack. What’s going to happen when we get hacked? Have we tested our backups, making sure that they work? That you can actually do that. That you can actually do a restore, that they’re not corrupted, that they’re being stored in a good place off server. Doing a security audit, going over everything. If you plan for a security event, you’re going to be way more prepared than if you’re not. So you want to uncover and patch things and find problems. I have worked with people. I do security auditing for people. And sometimes people who are like well-known people in the WordPress space come to me and say, hey, can you audit this? And I’ll go in and I’ll think, I’m never going to find anything. This person knows WordPress. And boom, there’s a backup freely available with the database password in a WP config available that a hacker could have easily found. I find a lot of times plugins with vulnerabilities that haven’t been updated on sites. People who I expected to know better. Auditing helps. Having a process in place. If you have a small business, every three months, you’re going to have a process in place. If you have a small business, every three months, audit your site. Just take a quick look. And I have got an audit checklist that I can give you at the end of this that you can go through every three months and just double check everything that maybe something that the last time you did maintenance, you forgot something somewhere or did a staging server and oops, we forgot that that staging server is there and it’s now running vulnerable versions of things that can infect an entire site. Those types of things you can uncover when you’re auditing things. Because your website is, there’s a lot of pieces to it. It’s not just WP admin. It’s not just your password. There’s XML RPC. That’s a way in. There’s your PHP, my admin. Want to double check and make sure that that’s well secured. Your hosting panel, SSH, FTP, as well as making sure that HTTP is the S at the end of that. We want to make sure that that is secure as well. There’s so many different ways and so many different layers. There’s so many different ways and so many different layers to how a web application works. This is called the OSI model. And it basically, it’s everything that goes into your website. Now, you might never think about the physical layer, the actual server in the data center at, you know, whatever hosting provider. But if a hacker was able to get into, maybe they were able to socially engineer somebody at the hosting company. Or be able to shoulder surf their way into getting a password, those types of things, and get onto the physical premises, that is a vulnerability as well. People don’t think about all of this other stuff, but there’s a lot to consider. So, let’s talk first, though, about passwords and authentication. Authentication.
Kathy Zant:
So, reusing passwords should not be happening. Oh, my gosh. I was helping my daughter’s, I’m going to give it away. Somebody that works with my daughter, I was helping them do something. And they, I said, well, okay, I’m going to set up the password and I will put it into the password manager. And they were like, no, no, no, no, just make it this password. I’m like, please, no, please don’t make me do this. I’m like, okay, you can use that password, but you’re going to have a dollar sign and exclamation point. You’re going to have a dollar sign and exclamation point in these four digits after it. You’re not reusing passwords. Please don’t. Don’t make me do this. I am surprised at how many people are still reusing passwords. It is time now to start using complex passwords, unique passwords everywhere. You have to use a password manager at this point in time. And there is something called the blind password strategy as well. If you’re scared of password managers and having everything in a password manager, here’s something you can do. You can put. can put the password like, let’s say the first 16 characters goes into your password manager and then there’s four digits, let’s say it’s 1234 and that’s in your brain and then on the website or your WordPress site or your bank website, you put in that 16 digit password that’s in your password manager and then the 1234 and that’s what the bank has that way. If you are concerned that the password manager is ever breached. You have the blind password strategy. So that way you’re kind of adding another layer of security there. Two-factor authentication. I don’t know what’s happening with all the SIM swapping stuff, but I have a video on my YouTube channel about SIM swapping and about two weeks ago, it popped off because SIM swapping was in the news. And I guess it’s becoming more and more prevalent. I saw it a lot in the crypto space, but you should be using two-factor authentication. And an authenticator app and a reputable one at that Google authenticator is way better than it used to be. I hate two-factor authentication as much as anyone else, but it’s something that you, even if you have a 20 character password, there is a non-zero chance that that can be guessed and brute forced. So just adding that extra layer of authentication is incredibly important. There’s a new technology called pass keys. Solid. Security, which used to be I theme security does have pass keys available in the premium or the pro version of that pass keys is also available for Google and many other who else is doing it square. I think has it or is it stripe stripe has it as a second factor. TikTok even has pass keys. Now, this is I have a I’m not going to go into how it all works. There’s a video on my YouTube channel that explains what pass keys are. If you’re interested, it’s about seven minutes long, but it’s going to replace the password. If you can use pass keys anywhere, use it because pass keys aren’t something that can be fished and it’s not something that can be brute forced. And then operating on the principle of least privilege. I see a lot of people with WordPress who are like, OK, well, here’s the admin password for WordPress and what you should be doing instead of just having one login that you share with everyone is each person who needs to do something on your site. I see a lot of people with WordPress who are like, OK, well, here’s the admin password for WordPress and what you should be doing instead of just having one login that you share with everyone is each person who needs to do something on your site. gets their own individual login. And they get only what they need to do. So if all I need to do on a website is post blog posts, all I need is editor access. If you have somebody who’s just contributing, give them contributor access and it takes away. If that account gets hacked, there’s less damage that a hacker can do. So that’s called the principle of least privilege. Only give access to people to the things that they need in order. to do their job. Jane in the front office who just needs to change a bio on the website does not need access to update all the plugins. So you create a special account for her so that Jane can log in and change a bio on the website and just tweak a couple of things. But she doesn’t need all of the plugins. She doesn’t need all of the admin tools on a WordPress site. So those are ways that you can protect authentication. And then protecting your software, you know, keeping all software updated. That means plugins, themes, core. There are features now in WordPress to do automated updates. So you can set core plugins and themes. And you can even go through and say, well, I want these plugins to automatically update if there’s ever any problem. I can set all of them to do that or maybe just a few. You can make that determination on a case-by-case basis. But setting up automated updates for the plugins and themes and core is a great thing, especially if you’re doing backups, regular backups, just to make sure, like if somebody had that Bricks vulnerability and they had automated updates set for Bricks, it gets patched automatically. Then they don’t have to worry about going in and logging into like 40 sites and updating everything. Making sure that your FTP application is updated, all your browsers, your system, OS, making sure your computer. Yeah, we need to talk about this. This is another big, hairy. thing. Cookie theft, info stealers on devices, whether it’s your phone or it’s your personal computer. We are now starting to see WordPress sites getting hacked because computers are getting hacked and authentication cookies are being stolen and hackers are using that to log into things. You may have noticed, I don’t know if you’ve noticed, I know I have, but I know that when I log into my bank now, I have a session. I have a session. I have a session. I have a session. I have like 20 minutes to hurry up and get my business done before they log me out. That’s kind of new. That’s only been happening like in the last year. And a good friend of mine, Thomas Rafe, who works at where we watch your website and has the data to show it, wrote a blog post and has done a ton of research on these info stealers. So keep your WordPress website safe. Keep your computer safe by making sure you’ve got antivirus on your computer and making sure you’ve got antivirus on your computer. So keep your computer safe by making sure that you are updating the software on your computer because that can be an intrusion vector for your WordPress website. And there’s a lot of people who are like, oh, nobody’s going to hack Word. That’s a lot of work for hacking WordPress. But guess what? WordPress cookies last 48 hours. If you click that box that says, remember me, it lasts two weeks. So those cookies, if you’re not logging out, because if you go and click log out, it kills the cookie. The session’s gone. There’s no vulnerability there. But if you just like me, who I just love being able to power up my computer, I’ve logged into all my stuff. It’s a vulnerability if you’re not keeping your computer patched. So really important there. And if you’re not using software, whether it’s a plugin or a theme or software on your computer, if you aren’t using it, it’s better to just delete that software. Don’t just deactivate. The plugin and say, oh, well, it’s not vulnerable because it’s not active. I’ve seen plenty of vulnerabilities that have been exploited because the code base is still there. Some of them you can exploit that way. Some of them you can’t. But it’s still just way better to just delete things that you’re not actively using. So one example was File Manager. There’s a plugin called File Manager. And it gives you like a little directory tree. And it basically allows you to, it’s like you have a file manager. And it’s in your directory. And it’s in your directory. And it’s in your WP admin. Super handy if you don’t want to log into FTP, but you want to manipulate the files there. But it’s not necessary for your front end site visitors. And it’s something that you’re only going to be using for a short period of time. Well, File Manager, people would deactivate it. And there was a vulnerability a few years ago where deactivated, but still resident on the site, File Manager had a vulnerability that was very actively exploited. Oh, geez. I want to say 2019 is when that happened. Seen it happen. So just remove, if it’s not necessary for the front end of your site, remove that from your WordPress admin. Here’s something that I always get into arguments with people about. But I’ve seen some things. Functional isolation. One site per server-based user. cPanel likes these. Add-on domains. I’ve seen people put 100 sites in a cPanel. The worst hack I ever cleaned up was 30 sites in a cPanel. And one site had a reused password. It was an agency, this guy down in Brazil. And he had 30 customers in this one install. And he had given admin access to one of his customers so that they could update content. They probably would have been just fine with editor access. That password had been reused. Somebody got in and went and overwrote the 404 page for that one site. One out of 30 sites. That one site overwrote the 404, put a backdoor in there, added JavaScript, appended just one line of JavaScript that was a malicious redirect to every single JavaScript file within that entire hosting account. So 30 sites with all of their JavaScript files redirecting to a backdoor. And that’s what I’ve seen. And I’ve seen people put 100 sites in a cPanel. And that’s what I’ve seen. And I’ve seen people put 100 sites in a cPanel. And that’s what I’ve seen. And I’ve seen people put 100 sites in a cPanel. And that’s what I’ve seen. So this agency is like, help. We need to get this cleaned up. It was pretty easy to clean up. We just downloaded the whole site, just did a search and replace, got rid of that one line of code, and then tried to upload it back to the server. And there wasn’t enough space on the server because it was like at 90%. So we had to do each. And that was a pain. But it affected all 30 of his sites. So you don’t want to put a ton of sites into one cPanel because if one site gets hacked, just assume that they are all hacked. One site for each function. So if you have WooCommerce and LearnDash, and you have all of these different things that you’re doing as a part of your business, I would put the learning management and all of that functionality on one particular install separated from WooCommerce and everything that’s happening there. Isolate things as much as possible. It makes it easier for troubleshooting. It makes it easier if something goes wrong. You want to be able to isolate your marketing site if that gets hacked from your customer data because I don’t secure my test sites the same way I secure my bank accounts. If somebody gets into my test site, I’ll just clean it up later. Who cares? It’s my test site. But if somebody gets in my bank account, that’s a problem. So you’re going to apply different security rules based on different functionality. Your backups need to be off server. There are great plugins like Updraft that’ll back up your site and it’ll just be right there on your server. Nice and convenient, right? You’ll have to assume that each one of those backups, if your site does get hacked, is also corrupted because the hacker had access to them. I’ve seen hackers get into sites and wipe information out of log files that they were there. So you want to have your site backup backed up off server someplace away from the PHP processes that are running there. And I would even recommend that you back up your log files elsewhere as well because if you do get hacked, you want to have some evidence of what actually happened. So making sure that you have backups, especially if you have an incident where you have to provide information for cybersecurity insurance or anything like that, they are going to want all of the forensic evidence. If you ever do get backed up, the first thing isn’t getting relative malware. First thing is backing up all of the evidence, making sure you have a copy of what happened. With all of your backups, you want to test restoration, right? So if something does happen, even if a plugin update goes wonky, you want to make sure that you can quickly and easily restore from a backup. So you want to test that process as well. All right. Protecting access. Cloudflare is not just for performance. They have great security tools as well. Yes, you can use a security plugin and Cloudflare because you’re putting Cloudflare on before anybody ever gets to your site. You have DNS settings that you set up Cloudflare. They also have a great product, which is an alternative to Captcha called Turnstile. That is great for your forms. If you’re getting a lot of like bot activity on forms or even for carding attacks, that can happen a lot on commerce sites where people are testing to see if a card is actually good. So I recommend using Cloudflare, especially just having it set up. If you ever get DDoSed and they have that, I’m under attack right now, you just go through that process and it’s already set up for you. Plus there’s performance opportunities there as well. The faster you can detect a problem, the faster you can fix that problem. So making sure that your host, your server, something, a plugin, is scanning for file changes, scanning for malware. Malware can be a separate file. Malware can be appended to a JavaScript file. Malware can be in your WP config. Malware can be in your images and in your uploads folder. Malware can be anywhere. You have to assume that everywhere is vulnerable if your site gets hacked. So scanning for new files, scanning for file changes of existing known files, monitoring on your network, monitoring any kind of malicious activity. I’m going to recommend Solid Security as the plugin of choice. They are doing so much cool stuff with Solid right now. That’s one of the stellar liquid web brands. And Timothy Jacobs is the developer on that. He’s one of the smartest guys I know in WordPress security. So they do file change detection as well as pass keys and all kinds of other stuff. If you want, an audit checklist, you can go to xant.com slash or slash FL hyphen meetup. There’s a form there that you can fill out. And you can get on my newsletter if you want to and get the audit checklist. Or you can just get the audit checklist. See, you get to choose. Choose your journey. And if you want to get on the newsletter, I mail, I’m trying to get on the newsletter. I’m trying to get on the newsletter. I’m trying to get on the newsletter. I’m trying to get on the newsletter. I’m trying to get on the newsletter. I’m trying to mail butter. But I mail sporadically. I did mail this morning about the bricks and the quickly vulnerabilities. Wanted to get that information out there as fast as I could. Also, my YouTube channel, just Kathy Zant on YouTube. I do all kinds of security tutorials. It’s not just about WordPress. It’s also about some swapping attacks, info stealers. I’m going to try to drag a few of my friends in the WordPress security space on to talk about what’s happened with quickly and bricks sometime in the next couple of weeks. So I’m going to try to drag a few of my friends in the next couple of weeks. So I’m going to try to drag a few of my friends in the next couple of weeks. So you can subscribe to me there. But yeah, the newsletter is probably the easiest way to stay in touch. But I sure, I am sure you guys have questions. And I am here to answer all of those questions.
Rob Watson:
Thank you so much, Kathy. I have, I’ve got to go back and review this recording and make a whole bunch more notes than I was able to make. This is really comprehensive. And it’s got me thinking a lot more about what I need to be doing as well.
Kathy Zant:
Thank you. Yeah, I’m very happy to to share my years in the trenches cleaning hack sites. We I finally did the math last year, a friend of mine asked how many sites I had cleaned. And I’m like, well, let’s do the math. I don’t know. There was over over 3000 sites that I had cleaned over the course of a year and a half. And I was I didn’t consider myself a security expert. But I knew enough about security to be dangerous. And I knew enough about WordPress to know that when the hacker had moved the giant purple sofa into the living room, I knew what didn’t belong there, right. So it made the learning much easier and had some really good teachers as well. So I’m happy to share the knowledge as much as possible with everyone else. Awesome.

The following two tabs change content below.
Rob is a founder of West Orlando WordPress and an online business coach and digital marketing consultant at Webidextrous.com.