ABOUT THE PRESENTATION
Often people ask why hackers are targeting their seemingly unexciting small business websites. And yet, these smaller websites are often receiving the brunt of malicious attacks.
Hackers understand economies of scale. As such, smaller WordPress sites are always under attack by bots looking for signs of vulnerability. Fortunately, there are a number of easy ways to protect your site by making good security decisions.
We’ll go through some of the most common methods hackers use to get into WordPress sites through some entertaining (and sometimes scary) stories.
You’ll learn key security principles to help you make good decisions to prevent intrusions, detect them, and recover from a security event if you are ever compromised.
ABOUT THE PRESENTER
Kathy Zant is an internationally recognized speaker on security, marketing, and data-driven website development. She’s spoken at countless events worldwide, both online and on stage, and she’s been an organizer for both WordCamp Phoenix (twice) and WordCamp US. A frequent guest on numerous podcasts about WordPress and emerging technologies, she is also co-host of The Kadence Beat, Do the Woo, and WPMotivate, and is a frequent co-host on This Week in WordPress. An Executive Producer of Open, the open-sourced documentary about the WordPress community, she is passionate about your stories and believes everyone’s voice deserves to be heard.
WordPress has become one of the most popular content management systems (CMS) in the world, powering millions of websites. However, with its popularity comes the attention of hackers who are constantly seeking vulnerabilities to exploit. In a recent presentation on WordPress security, Kathy Zant shed light on the risks faced by small businesses and the proactive measures that can be taken to protect against cyber threats.
The Vulnerability of Small Businesses
Hackers often target small businesses because they perceive them to have lower security measures compared to larger companies. Automated scripts are used to scan for vulnerabilities across numerous sites, making it easier for hackers to identify potential targets. One common method employed by hackers is to exploit software vulnerabilities, such as the recent vulnerability found in the Bricks page builder. These vulnerabilities provide hackers with an easy way to compromise multiple sites quickly.
The Consequences of Inadequate Security
The consequences of a security breach can be devastating for small businesses. Data breaches not only result in financial losses but can also lead to fines for non-compliance with Payment Card Industry (PCI) regulations. Additionally, a breach can severely damage a company’s reputation, potentially leading to a loss of customers and revenue. In fact, statistics show that 60% of small businesses fail within six months of experiencing a breach. It is clear that investing in robust security measures is essential for the long-term success and survival of small businesses.
Proactive Security Measures Against Hackers
Implementing proactive security measures is crucial for safeguarding your WordPress site. Regular security audits, backups, updates, and incident response planning are essential components of a comprehensive security strategy. By staying ahead of potential vulnerabilities, small businesses can reduce the likelihood of a breach and its associated consequences. Moreover, proactive security measures have been shown to have a positive impact on business outcomes, such as increased sales and profits.
The Power of Strong Authentication
One key aspect of WordPress security is ensuring the strength of user authentication. Using unique and complex passwords for all user accounts is critical. Moreover, two-factor authentication adds an additional layer of security by requiring a second form of verification, such as a code sent to a mobile device. Emerging authentication methods, such as passkeys, show promise in providing even stronger security measures.
Principle of Least Privilege
Adhering to the principle of least privilege is another important security practice. This principle involves giving users only the necessary access levels, minimizing the potential damage that can be caused in the event of a breach. By limiting access rights to only what is essential, small businesses can effectively mitigate the risks associated with unauthorized access.
The Importance of Regular Updates
Keeping all software updated is a fundamental requirement for maintaining a secure WordPress site. This includes regularly updating plugins, themes, core files, and even web browsers. Outdated software can contain known vulnerabilities that hackers can exploit. Removing unused plugins and themes further reduces the attack surface, minimizing the risk of a breach.
The Critical Role of Backups
Backing up your WordPress site is an essential part of any security strategy. However, it is crucial to not only perform regular backups but also to test the restoration process. Storing backups securely off-server is recommended, as assuming on-server backups are compromised during a hack ensures that data can be recovered even in the event of a breach.
Leveraging Security Plugins and Services
Utilizing WordPress security plugins can provide an extra layer of protection for your site. Plugins like Solid Security offer features such as file monitoring and passkeys, enhancing the overall security posture of your WordPress installation. Additionally, services like Cloudflare can provide both security and performance benefits, further safeguarding your site against malicious activities.
Device Security and Site Isolation
It is important to recognize that compromised devices can pose a significant threat to your WordPress site. Cookie and session theft can occur if a user’s device is compromised, making it crucial to keep computers and other devices patched and updated. Whenever possible, sites and functionality should be isolated to minimize the potential impact of a security breach.
The Ongoing Importance of Security Audits
Security audits should not be seen as a one-time event but rather as an ongoing process. Conducting regular audits, approximately every three months, helps to identify and address new vulnerabilities that may have emerged since the last audit. Staying vigilant and continuously educating yourself on the latest security best practices is essential for maintaining the security of your WordPress site. Resources such as newsletters and YouTube channels dedicated to WordPress security can provide valuable insights and guidance.
In today’s digital landscape, the security of your WordPress site is of utmost importance. Small businesses, in particular, are targets for hackers due to perceived vulnerabilities. By implementing proactive security measures, such as regular audits, backups, and updates, small businesses can mitigate the risks associated with cyber threats. Strong authentication practices, adherence to the principle of least privilege, and the use of security plugins and services further enhance the security posture of your WordPress site. Remember, investing in security now can save your small business from the devastating consequences of a breach in the future. Stay informed, stay protected, and ensure the long-term success of your online presence.
- Website: https://www.zant.com/
- Slides and Checklist: https://www.zant.com/fl-meetup
- Newsletter: https://kathyzant.com/
- Documentary: https://open.film/
- YouTube: https://www.youtube.com/@KathyZant
Welcome, everyone, to the third Thursday meetup of the West Orlando WordPress meetup group. I’m Rob Watson, a co-organizer and host. West Orlando WordPress is an official WordPress meetup group affiliated with the WordPress Orlando and WordCamp US meetup groups. Often people ask why hackers are targeting their seemingly unexciting small business websites, and yet these smaller websites are often receiving the brunt of malicious attacks. Hackers understand economies of scale. As such, smaller WordPress sites are always under attack by bots looking for signs of vulnerability. Fortunately, there are a number of easy ways to protect your site by making good security decisions. We’ll go through some of the most common methods hackers use to get into WordPress websites through some entertaining and sometimes scary stories. You’ll learn key security principles to help you make good decisions to prevent intrusions, to attack, and to protect. You’ll learn how to hack them and recover from a security event if you are ever compromised. Kathy Zant is an internationally recognized speaker on security, marketing, and data-driven website development. She’s spoken at countless events worldwide, both online and on stage. And she’s been an organizer for both WordCamp Phoenix twice and WordCamp US. A frequent guest on numerous podcasts about WordPress and emerging technologies, she is also co-host of the World Wide Web. She is a frequent co-host on This Week in WordPress, an executive producer of Open, the open-source documentary about the WordPress community. She is passionate about your stories and believes everyone’s voice deserves to be heard. At this point, I’d like to invite everyone to mute their microphones for the presentation. Kathy, thank you for being our presenter this evening. The time is now yours.
Awesome. Wow. Thank you for that. That was a wonderful introduction. I am so excited to be here. And if you guys ever wanted to, like, say, I am so lucky, you are joining a security talk on a very exciting day in WordPress security. There has been so much happening today, and we’re going to use some of the news of what has been happening over this week to sort of exhibit and as an example of what happens with WordPress security, because this has been kind of one of those banner weeks. It happens every once in a while. Major vulnerability is discovered, and hackers get busy exploiting it. So a couple of days ago, Bricks, the Bricks builder, vulnerability was found. The security researcher, Calvin Alkin, reached out to the developers, let them know what he had found. They patched everything. But because of the nature of the vulnerability, hackers look for these things. They look for the ripest fruit. They look for the easiest exploits. And when they find something that’s super easy to exploit, they get very busy. This was a very easy to exploit vulnerability. It is an unauthenticated, meaning you don’t have to log in. You don’t have to have a subscriber account or any kind of other account to exploit this. Anybody can exploit it. And it’s a remote code execution vulnerability. So you can put a script on any server anywhere in the world. A hacked server, perhaps. Perhaps you’ve been hacked previously. And make a call to a vulnerable website. And it goes and gets that hacked script. And boom, that site is hacked. It’s super easy to do. And as soon as that patch was applied, hackers got busy. So we’re seeing attacks happening right now. The Bricks group on Facebook is extremely busy with people trying to figure out what the heck’s going on and how did this happen so fast. Today, Quickly. Today, Quickly. Today, Quickly. Today, Quickly. other page builder has a similar vulnerability. This one can only be exploited if you have a contributor or higher account. So it’s not going to be exploited as widely, but it’s a very similar type of vulnerability. So lots happening right now in the WordPress security space. And today, let’s talk about this. Let’s figure out what’s going on. Why are hackers targeting small business websites? And what can we do about it? You know, a lot of people that I’ve talked to about WordPress security, they’re like, it’s just my cat blog. It’s just my blog. It’s just my small business. I’m insignificant. Why are they targeting me? And we’re seeing that today. There’s lots of people in the bricks group who are like, why? Why is this happening to me? How do they know that I’m running bricks? How do they know that I have a vulnerable plugin or theme on my site? Why? And I don’t know. I don’t know. I don’t know. I don’t know. I don’t know. I don’t know. I don’t know. My best answer is it’s spray and pray. They have a script. It’s not Darth Vader who’s doing this, but it’s Darth Vader who’s written a script and has all of his little like script command and control center types of things that are going off and just spraying and praying. And they’re just hitting every website, whether it’s WordPress or not. And if the vulnerability is there, it basically hacks the site, put something on it, and then phones home and says, got one. So they are. They’re looking wherever they can. They know these vulnerabilities are out there. And a lot of hackers are getting lucky today. And it’s really unfortunate. Just some information about me. I’m a former developer. I used to, I was a project manager and then had a hard time getting developers to do what I want them to do. So I taught myself how to code. My first security incident happened in 1999. I inherited a server from a coworker and it got hacked.
So planning is really important. I was advised people to plan that you’re going to get hacked. If these people who are going through hacks right now had planned for a hack, they would have backups every few hours, maybe if they have active transactions happening on their site. An incident response plan, planning for a hack. What’s going to happen when we get hacked? Have we tested our backups, making sure that they work? That you can actually do that. That you can actually do a restore, that they’re not corrupted, that they’re being stored in a good place off server. Doing a security audit, going over everything. If you plan for a security event, you’re going to be way more prepared than if you’re not. So you want to uncover and patch things and find problems. I have worked with people. I do security auditing for people. And sometimes people who are like well-known people in the WordPress space come to me and say, hey, can you audit this? And I’ll go in and I’ll think, I’m never going to find anything. This person knows WordPress. And boom, there’s a backup freely available with the database password in a WP config available that a hacker could have easily found. I find a lot of times plugins with vulnerabilities that haven’t been updated on sites. People who I expected to know better. Auditing helps. Having a process in place. If you have a small business, every three months, you’re going to have a process in place. If you have a small business, every three months, audit your site. Just take a quick look. And I have got an audit checklist that I can give you at the end of this that you can go through every three months and just double check everything that maybe something that the last time you did maintenance, you forgot something somewhere or did a staging server and oops, we forgot that that staging server is there and it’s now running vulnerable versions of things that can infect an entire site. Those types of things you can uncover when you’re auditing things. Because your website is, there’s a lot of pieces to it. It’s not just WP admin. It’s not just your password. There’s XML RPC. That’s a way in. There’s your PHP, my admin. Want to double check and make sure that that’s well secured. Your hosting panel, SSH, FTP, as well as making sure that HTTP is the S at the end of that. We want to make sure that that is secure as well. There’s so many different ways and so many different layers. There’s so many different ways and so many different layers to how a web application works. This is called the OSI model. And it basically, it’s everything that goes into your website. Now, you might never think about the physical layer, the actual server in the data center at, you know, whatever hosting provider. But if a hacker was able to get into, maybe they were able to socially engineer somebody at the hosting company. Or be able to shoulder surf their way into getting a password, those types of things, and get onto the physical premises, that is a vulnerability as well. People don’t think about all of this other stuff, but there’s a lot to consider. So, let’s talk first, though, about passwords and authentication. Authentication.
Thank you so much, Kathy. I have, I’ve got to go back and review this recording and make a whole bunch more notes than I was able to make. This is really comprehensive. And it’s got me thinking a lot more about what I need to be doing as well.
Thank you. Yeah, I’m very happy to to share my years in the trenches cleaning hack sites. We I finally did the math last year, a friend of mine asked how many sites I had cleaned. And I’m like, well, let’s do the math. I don’t know. There was over over 3000 sites that I had cleaned over the course of a year and a half. And I was I didn’t consider myself a security expert. But I knew enough about security to be dangerous. And I knew enough about WordPress to know that when the hacker had moved the giant purple sofa into the living room, I knew what didn’t belong there, right. So it made the learning much easier and had some really good teachers as well. So I’m happy to share the knowledge as much as possible with everyone else. Awesome.
Latest posts by Rob Watson (see all)
- Kathy Zant – Why Hackers Target Small Business Websites - February 16, 2024
- Tricia Clements – Google Business Profiles (GBP) in 2024 - January 22, 2024
- Scott Mann – Stop Giving Your WordPress Business Away - November 30, 2023