Outstandingly Mediocre – Web-based WordPress Security Extremely Lacking
When it comes to keeping my clients sites secure I am a bit of a perfectionist, that’s my Internet Security Mindset. Many times I would rather not have a feature installed even despite requests to do so if the plugin is out of date or presents a potential vulnerability. We take the security of our websites very seriously and do the best we can within the scope of our abilities.
As WordPress security is one of our passions, we understand that this is not just a passing fancy, but that website administrators must have the proper Internet security mindset.
Recently I came across this article, Web security still outstandingly mediocre, experts report detailing several of the factors related to how insecure WordPress sites are.
Cross-site scripting (XSS) vulnerabilities continue to dominate the list of most common vulnerabilities found in real-world tests.
In more than a third (37 per cent) of cases, a website vulnerable to XSS is also vulnerable to a more critical flaw such as SQL injection or improper access control, according to web security testing firm High-Tech Bridge.
Insecure WordPress blogging platform installs also continued to pose problems. More than 72 per cent of WordPress installs assessed by High-Tech Bridge had default admin panel location and at least one brute-force crackable login/password pair, nullifying any efforts their owners might have made to keep patches up to date.
More than two thirds (77 per cent) of mass website infections with malicious code are possible because of the exploitation of a known vulnerability in an open-source content management system (CMS), its plugin or theme publicly disclosed over the previous three months.
WordPress Security Concerns Us All, Not Just Those Who Have A WordPress Site.
As a WordPress programmer and a software developer there is always the concern in the back of your mind as to whether or not the code you write or the products you develop are secure enough. To make things worse this concern becomes exponentially greater the instant you make it accessible to the internet.
For a little bit of understanding, let’ take a moment to consider what security options are available on the internet from one extreme to the other.
The Most Secure Things On The Internet Are: Not On The Internet.
If you truly want something to remain secure, don’t ever connect it to the Internet as once you have done so it becomes as secure as your money in a Vegas casino while drunk.
Bear in mind I am not just referring to your own sites security. Such security risks as a home invasion often happen when people post on Facebook that they are leaving for a week long vacation. Even the family pets are no longer secure in their own yards as many get stolen every day because people post pics online. Let’s not forget that many children rarely walk the streets on their own in some areas for fear they met someone they shouldn’t have online.
While these types of security concerns may not be directly because of lack of your WordPress based security concerns, they are all tied to a persons “Internet Security Mindset”.
What Is Your Internet Security Mindset?
People are most likely to protect those things that mean the most to them. Children, pets, and homes are the top three things that most people are willing to “take extreme measures” to keep secure. We do almost anything to protect what we hold dearest.
But are you truly doing all you can?
Many people do not make an accurate assessment as to the true value of their web based assets. Let us consider for a moment my own situation:
I am a Software developer and web designer. I have had dozens of sites of my own as well as dozens more for clients over the years. My programming and web career easily date back to 2003 when I first created my business. During that time period I have own multiple homes, had many people come into and out of my life.
If you don’t count my immediate family, friends, cousins, and co workers during that time frame you could still find a ton of potential areas for security breaches.
Over the years I have had my personal information out on the Internet. This included my home address, my name, probably my bank name, passwords, and much more. Back when I started online there was little in the way of quality security measures.
One of the main reasons I am now so concerned with my own security attitude is because of the events that happened to me due to my own lack of security:
I had an online retail website of my own. This website was hacked at a point where it was making close to $30,000 per year. The site was corrupted by an intruder. The damage was done and the site was maliciously mangled beyond recognition. Sure I could have restored the site. I did have a backup, but it was considerably older then it should have been, over 2 years old.
It would have taken years to get the site back up and running to where it should have been. I lost only one site. So in that regard I guess I got lucky even though it sure didn’t feel that way.
What became the most important part of this loss was that I had lost an income stream that was extremely important to my family. This was not just one of several income streams I might have now, but was in fact a primary income that my family depended on everyday.
This loss of income was also one of the key forces that led our family down a path from which there was no recovery. Without this additional income my full time job at that time was no longer enough to stay ahead of the bills. Several weeks later the company I was working for sold to an out of state investor and moved out of state leaving me unemployed and now desperate for an income.
To make matters even worse, my significant other of seven years decided to leave me high and dry because I was no longer making the income I had been. Not the best timing, but in her words “It was my responsibility to pay for the house”. Then came a time period of my life where I was broke and homeless. I had lost everything.
Even though I had only lost the one site, it was a serious blow because of all the collateral damage that was done. If I had secured the website properly, I would have been able to weather the loss of the job where I was working. It would have been hard, sure, but I would have been able to keep my head above water.
This was a cascade of issues that all hit at once. That “Perfect Storm” if you will.
That was the day I vowed to do my best to prevent it from happening again. I learned my lessons that day. Even though recovering from that took me years, I understand fully now that you must take steps to protect that which you hold dear. Not just your family, but your family’s safety and the things they rely upon such as home and incomes.
My friend Gus once said to me: “Have enough in your rainy day fund that you could weather the flood”.
He was right. Don’t put all your eggs in one basket and don’t make the mistake I made: Protect Your Sites.
What You Don’t See Without A Internet Security Mindset.
- How many people out there have personal blogs? Most of us.
- How many of us post personal details on that blog? All of us.
- How many of us realize the dangers in that? ??????
Without taking into account business related blogs, just consider the last time you posted personal topics on your blog. You post topics like pictures of your children, pictures of new stuff people got for holidays or the new 60 inch plasma tv you just bought.
But what if your blog also had your home address on it. After all you registered the domain name with your own name and address right? Did you get whois guard to protect your confidential information?
Criminals are getting smarter. They are doing things like browsing your Facebook history, subscribing to blogs, and delving deep into your personal data to potentially do you harm.
It is a mistake to think that these types of security risks are “being over-exagerated” or “it will never happen to me”. Don’t be lulled into a false sense of security. That is exactly what those who would cause you harm are hoping for.
How Does Having Internet Security Mindset Help You?
The process of keeping your website secure starts with having that defender mentality that it needs to be done not to just protect your website, but to protect those around you. So how does the fact that WordPress security is considered to be appallingly inadequate help you control security issues when it comes to securing our websites.
By being aware of what information you are putting out onto the Internet, and when or how that information is being used, you can do stuff to mitigate your risks.
A good example of this would be the family vacation. Don’t post the pics of your vacation “WHILE” on vacation, but post then when you get home. People want to do things in real time and when you do that you run certain risks, like a home invasion.
Running a WordPress blog (or any site for that matter), means that you likely have things on the site that could be of potential concern. This could be files you uploaded for work, passwords that you share with your home computer, or personal and business data that you must protect from prying eyes.
The first step on the path to an Internet security mindset is to make sure that your website is secure. Take the time to read through the many posts we have here like these:
Make sure that you are installing and activating the security measures that you can for your website or hosting platform. This includes such simple things as:
- Using harder passwords.
- Don’t re-use the same passwords.
- Use a password generation / storage program (KeePass).
- Contacting your webhost and ask for a security audit.
- Use secure WordPress hosting services.
- Making sure you backup your site regularly.
- Keeping your site files up-to-date.
If you go back and look at running a business site, a single breach could cost you a fortune. This could be millions of dollars depending on the information gather. Just ask Yahoo how they are handling their massive breach from a couple years ago. You have already seen what losing one site cost me.
While some hackers will only hack a website to cause minor damage, such as defacing a page, criminals will use your own information against you. Any number of things can be gained from your standard blog installation, such as your commonly used passwords, access to your users database, or financial information. All of which can have a value to a criminal that the average user doesn’t realize.
What Can You Do To Develop An Internet Security Mindset?
It doesn’t have to be extremely hard to become more security concious about your Internet activity and protecting your web-based assets.
In order to combat these kinds of issues you must be conscious of what can be done by those intent on harming you.
- Consider that a car dealership can sell a car completely online, all they need is valid information. But what if that guy who hacked your website got your personal data and bought that car?
- If more people had an internet security mindset, company’s that compromise on their own security practices wouldn’t have a large of customer base.
- Sites like Facebook would be totally different because people would not be sharing personal, private, or confidential information.
- Laptops wouldn’t get stolen with un-encrypted Social Security information.
- The power grid would be more secure.
- Identity theft would go way down.
- Medical records would be more private.
- We would all learn a lot fewer security lessons the hard way.
Having a healthy dose of “waking up” allows you to understand that just because you don’t see these things in the news or that they have never happened to you does not mean they won’t happen.
Millions of people lose their financial information every year. Cyber crime is at an all time high and it has no where to go but up as technology changes every day.
While I am not advocating locking yourself into a house and never coming out to the real world, the truth is that criminals will be potentially looking to do you harm some day in the future. Taking precaution with your websites and other web-accessible assets means that you can help to decrease those potential risks. Take the time to develop your own Internet security mindset and make sure that you are doing the best you can to protect that which your family depends on.