When used properly, WordPress is an extremely secure web content management system. In this video, Pragmatic’s founder, David Lockie, looks at five ways that your WordPress-powered website can become a cybersecurity risk for your business.
Most of these principles apply to any website software, but we’re WordPress specialists so we’re going to focus on WordPress specifically. We should emphasise, again, that used properly, WordPress is very secure. This video explores some of the ways that if your website does get hacked, the cybersecurity implications could be far worse for your organisation than just common attacks like the pharma hack1.
If you found this video interesting, or are worried about the cybersecurity risks from your website, please do take our WordPress Cybersecurity Healthcheck questionnaire and we’ll get in touch quickly.
Thanks for watching! Next time, I’ll try to actually smile a bit more – bear with me, I’m new to this video thing.
Here’s the full transcript
Hi, I’m David Lockie. I run Pragmatic; we’re a specialist WordPress agency based in the UK and we provide consultancy, development and support services to organisations across horizontal, vertical and international markets.
You might not think that your company’s website is also a cyber security risk for your business – but it is. Today, I’m going to talk to you about five ways that your company can be a risk for you.
So, the first risk is that your website represents a classic ‘watering hole’. If an attacker wants to gain access to your business systems, then targeting your website is an excellent way to ensure that your own team are going to visit that website and are less likely to be picked up in any kind of malicious activity on your site.
If you’re running a content management system and the attacker can gain access to the admin area then they can be even more targeted with their attack because they know that it’s going to be one of your authenticated team members accessing that area of the site – so it allows them to be really specific. It’s also a valid concern that your clients could be targeted using the same watering hole tactic.
So, whether it’s your business or your client’s businesses that are the target of the attacker, then allowing the attacker to replace legitimate links on your website with malicious links could lead your clients to download software that has malware included and that could give the attacker a vector either into your clients business systems – or, if you’ve got a particularly close working relationship, perhaps even through your clients’ own security holes, back into your business systems. Either way, it’s really important to be able to be aware that your website is the perfect watering hole for an attacker.
The second risk is of credentials; by compromising your website, an attacker can replace a legitimate forgotten password/password recovery tool with their own; so that when your team is prompted to recover their own password, they’re inputting their own username and password for the website into a system that the attacker controls. Often, your team will be using the same credentials for your website and for other business systems – so it’s a really sophisticated way that an attacker can easily access credentials which might not seem important otherwise.
The third risk is one of social engineering; websites by their nature are publically accessible and a savvy attacker will be able to determine not only the software that your website is running on and the problems that your team might typically encounter running it – but also potentially even the name of the company that built the website for you. So, by contacting your team – purporting to be from that business and asking for some help to diagnose a problem with your website – your team can inadvertently be lured into installing malware on your business system that then gives an attacker access.
The fourth risk is a risk of business infrastructure; your website needs to be hosted on a web server somewhere. Sometimes businesses use their own hosting infrastructure. If an attacker compromises your website, sometimes they can escalate that compromise out to the web server as a whole. If you’re running other business systems on that web server such as email or customer relationship management software; then the attacker can then gain control of those systems as well. Alternatively, the attacker could use your web hosting infrastructure as part of a botnet for general malicious or criminal activity.
That leads on to our fifth risk, which is one of business reputation and money. Your business has a website so that it can help support marketing and communication efforts – it can make your business money. If an attacker can compromise your website and use it for hacking, spamming, malware distribution or other malicious activities it can lead to your legitimate business IP address or domain name being added to blacklists that can seriously hamper your ability to communicate with your clients and the general public and that can lead to a direct and indirect loss of earnings and revenue.
So that’s a quick look at five different ways that your company website can be a cyber security risk for your business. There are some simple recommendations that we can give you to help avoid these risks:
The first is: to use good WordPress security practice. There are tonnes of resources out there, everything from strong passwords and two factor identification to keeping your WordPress site updated and running the latest software.
The second is to choose a reputable WordPress agency as your partner so that they can help you plan and build and host your site in a secure way; covering things such as back-ups, maintenance, security scanning and training and support for your staff.
which injects spammy links into your site↩