Like most of us, I consider myself pretty good at doing WordPress.
I don’t develop themes or plugins, and I don’t know a lick of PHP — but I am a wizard in the WordPress dashboard!
Don’t we all love setting up a brand new install? It never loses its magic: searching for the perfect theme, tweaking all the settings, and perfecting the permalinks. However, in all my years of working within the environment, nothing felt more pressing than the need to learn all about WordPress security. So when I recently joined Sucuri to help them with their content, I knew that I was guaranteed to receive a proper education.
I got way more than I bargained for! My first six weeks were spent learning how to clean infected websites and performing malware removal for clients. During this time, I did no marketing. No analytics. Nothing. The whole point was for me to learn about website security, our products, and our customers.
In the first few days, I was reminded that the word “updates” is awfully soft. A lot of people see updates as an optional feature enhancement and nothing more.
It would be nice if the terminology were closer to “software vulnerability fix!” or “breaking news!” to prompt more immediate action. Coming from a background in computer security, I have been horrified to find decrepit versions of Internet Explorer, Java, and Flash on user machines.
I quickly learned that outdated website software poses a greater threat to others and is easier to exploit due to the public nature of a website. Attackers can ping and query until they find a vulnerable website, and the resulting infection will usually harm visitors or be used to infect other websites.
Whether it is your core files, plugins, themes, or even server software (like Apache or cPanel), it can be challenging to stay up-to-date. If any one of these pieces of software has a vulnerability that gets patched and an update is released, it’s only a matter of time before malware authors start exploiting that vulnerability.
Even if the changelog doesn’t indicate a security issue, it’s not hard for attackers to compare the versions and find the security hole. The question is then, who will take advantage of the update first? From what I’ve seen, there are plenty of bad actors out there trying to beat you to it.
In order to clean a website, we generally use SFTP, FTP, or SSH credentials. In some cases, we need to log into cPanel or the WordPress dashboard. I cringe, CRINGE, when I think about some of the passwords I’ve seen.
There is a lot more to access control than simple passwords. For example, two-factor authentication (2FA) is all the rage these days. This adds your mobile phone into the mix, and you are prompted to enter a code from an app like Google Authenticator.
I should mention that you can do a lot with .htaccess files to harden WordPress and prevent the execution of malicious files. I know Codex has a whole guide, but my main experience with hardening involves running a Sucuri program that automatically does it for me. When it comes to hardcore access control, it doesn’t get much cooler than throwing up a big ole’ error page for anyone who dares to enter your wp-admin!
Advice is great and all, but for one second let’s think about the emotional experience of being hacked. I have chatted with hundreds of website owners, but I still can’t quite describe it. The initial panic causes anger, confusion, and helplessness. Having your online project violated is like getting kicked in the stomach.
This is the reason why managed hosting companies like WP Engine are so valuable, because they handle it all for you. Though it’s almost never the case, many people feel personally targeted, especially small business owners who never thought they would get hacked.
Prevention is but one-third of the battle. You need to supplement your preventive measures with a good detection system and response strategy.
This is why I love my job. It’s great working with people who are so obviously passionate about solving these problems, and I get to ask them questions every day.
Security inside Sucuri
It’s a funny thing, getting to know a brand from the inside.
Observing a new team can tell you a lot: Do staff communicate effectively? Is information being shared to benefit the company?
First of all, working for a fully distributed team is not without it’s challenges, but today’s technology allows us to bridge that gap. Similar to Automattic, our team is spread around the world, no central office, and that in itself has been an experience.
I had never worked in a fully distributed team. We leverage tools like Skype and Hipchat for day-to-day communication, Jira for task management, and some P2-WordPress action internally for some of the secret squirrel stuff.
Security is of the utmost importance to us, and while it can be overwhelming and exhausting at times, seeing what is happening on a daily basis makes it all worthwhile.
As for what I do specifically and how it fits into this world: I’m responsible for translating the nitty gritty of what the team is doing and making it valuable to our blog audience[s].
This is not always an easy task. We work, I feel, with some of the brightest minds in the security domain. What they’re doing is fascinating: how they find the vulnerabilities we disclose, the technical details they collaborate on, or the pieces of malicious code that they discuss.
Not gonna lie, sometimes I have no idea what they are talking about. Yet the team is patient with me, they walk me through their thoughts, and what everyone gets to see is the final product on our blog and website.
It’s been an awesome whirlwind of learning over the past few months, and I have so much more to learn. One of my coworkers told me on HipChat that information security is “a mile wide, and a mile deep,” and I’m excited to dive into it. For now, if you have any questions about this, I’m always happy to chat.
Alycia is a writer, technology enthusiast, and Content Coordinator at Sucuri. You can find her online, getting excited about cyber security, internet marketing, and open-source projects. Follow her on Twitter at @artdecotech.