When your career is entirely online, assessing security threats is an ongoing part of life. For WordPress users, there are ways to significantly mitigate security risks, however, the reality is that users still must understand the threat space and stay vigilant to keep their sites secure. As the digital landscape continues to evolve, WordPress security must evolve as well.
We talked to three security experts about the state of WordPress security, and where things are going.
How are Attacks Reaching WordPress?
WordPress has become so much more than blogging software. It’s grown into a full-featured platform used to power incredible digital experiences. With each new feature, however, brings with it possible exploitation. So how exactly are hackers gaining access to sites?
According to Security Lead for iThemes, Chris Jean, “For the most part, the types of vulnerabilities and the methods used to exploit them have been stable for years now. The big changes come from the continual stream of new targets to exploit from bugs in new software or software updates.”
Should REST API Users be Concerned?
“The biggest recent change with regards to WordPress is the expansion of the REST API in WordPress 4.7,” Jean said. “We’ve already seen the API become a target due to vulnerabilities in the implementation of the WordPress core endpoints (kudos to the core team on their quick action to get the issue patched); however, I think that the API will continue to be a source of new exploits in the futures as well.”
Even more, President of SiteLock Neill Feather also touched on concerns that could potential arise through the REST API — noting that hackers may turn their attention to the frameworks that support WordPress.
“The rise of IoT attacks is something to pay attention to, especially as the WordPress REST API matures and developers start to use WordPress as an application framework for such devices,” Feather said. “More people are realizing the benefits of Web Application Firewalls and take the threat of vulnerability more seriously as more are educated.”
Historically, plugins and themes were a large culprit for security breaches. It appears that trend is going to continue.
“Most plugins and themes available have only been lightly vetted for security flaws. It remains the responsibility of whomever will be pushing the code to production to first test the code. This means performing static analysis prior to deployment to find vulnerabilities and mitigate the associated risk,” Feather said.
eCommerce Attacks and the Rise of Malvertising
Sucuri’s Tony Perez has been seeing an increase in “bad actors” evolving their tactics to target different parts of the website, most notably, advertisements.
“We’ll continue to see indirect attacks — attacks that don’t focus on penetrating your defense, but instead leverage services or systems you might depend on it,” he said. “A good example of this is malvertising, where attackers targets ad networks, embed their payloads inside the ad, and bypass your defense controls.”
In addition to malvertising, We’ve seen a recent rise in eCommerce attacks in 2016. These attacks not only affect your site but could lose you business if customers don’t trust your site.
“We saw attacks where they would try to interrupt the customer experience during the purchasing process by intercepting the request and instead of pushing the user to the desired payment page, the attacker would redirect to a payment page that emulated the original websites, but was built to capture and steal the customer data,” Perez said.
Change Your Thinking About Security
So how do we begin to mitigate security concerns? The first step is to understand the threat space. According to Jean, “Many WordPress users have a tendency to personify security threats. We may imagine some person sitting in a dark basement looking for targets and trying to find ways to break in.”
This can cause users to go about security in the wrong way.
“Personifying attackers and viewing the responsibility of a site admin as an ever watchful guard identifying and shutting down attackers before they can launch their attack is of little help,” he said. “The reality is that, unless you are the admin of a website for a large public company, a government organization, or a keeper of valuable trade secrets, the biggest threat to your site is from robots, not humans.”
Jean explained that instead of thinking of the people behind these attacks, “think of these attackers as mindless viruses rather than intelligent humans.” The attacks are built to target a very specific piece of your site and not worry about anything else.
“These attacks have no pattern to identify and are over in less than a second, far faster than any human could react,” he said. “Most of these vulnerabilities that attackers use are ones that are known about publicly and are already fixed in newer versions of the software.”
The people behind these attacks also need fewer skills and less money to implement than ever before.
“DDoS attacks continue to become more available to less-experienced adversaries, to the point where anyone with access to an email account can employ a ‘DDoS-for-hire’ for under $50, and endpoint firewall solutions typically aren’t as well-suited as cloud-based firewall solutions to defend against DDoS attacks,” Feather said.
The bigger the CMS gets, the more appealing it is to attackers around the globe.
“In the security domain there is this ‘own one, own them all’ mindset and I can assure you that with the market ownership over 27 percent of the web, the motivation is high enough that there are bad actors looking for a way to use that for their own agenda.” Perez said.
Admittedly, all of this news sounds pretty bleak. However, the important thing to remember is that there are risks involved in using all software — but by proactively taking steps to keep your site safe, you can mitigate a lot of the risk. What are some of the steps we can take to keep our sites safe? Well, most notably, we can keep our software up to date by automatically enabling auto-updates on WordPress sites. All three experts agree the way forward is to automate updates.
“This means a continued focus on development of WordPress and security plugin features that protect sites without requiring active intervention by a user. In addition, such protections should be offered without requiring the user to know specific details about the specific types of threats and how to best protect against them,” Jean said. “Thus I think we’re going to see simplification and automation of security features being a big focus for everyone in 2017.”
Perez agreed, pointing to the “secure by default” model.
“We saw it with the big push with auto-updates, overall improvements with the password creation process, and even the continued push for SSL by default,” he said. “You’re also seeing faster responses by the platform when issues are released, and from the hosts themselves to patch issues as well. All these things are changing the entire WordPress security landscape, making it much better for the website owners themselves.”
It’s important to not only make sure you have automated updates turned on but to check all your plugins and themes for updates as well.
“The trends we’re seeing with the most popular security plugins indicate that the community is finding monthly, or even weekly updates to end-user malware databases have not been frequent enough and are slowly transitioning to daily updates,” Feather said.
At the end of the day, no matter how fast hacks evolve, the best way to combat them is still through regular updates. As long as we have a strong community behind us, who is able to monitor for vulnerabilities, we will be able to stop these attacks once they happen.