March 7, 2019 by Agnes Talalaev
In this article we won’t dive into technical details, but try to address a common misconception instead. We will explain what website security is in general and how it should be approached when dealing with WordPress.
As per calculations, approximately 380 new websites are created every minute. However, the actual number of new websites being created every day is probably a little more than 500 000. In a perfect world, security should be kept in mind from the beginning of the development process, but this unfortunately is always not the case.
Unfortunately, people usually get acquaintanced with website security when a website is experiencing an attack which results in being defaced, stuffed with SEO spam, being blacklisted or spreading malware.
There are hundreds of WordPress security providers out there who all claim their plugin to be “the best”, “most complete” and the “only thing you need”. We understand the marketing efforts, but there are concerns in this kind of message.
WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target.
Whether it’s your customers’ data such as emails, shipping details and credentials or just the server resources (processing power and storage), it’s all something that hackers can monetize or use for their own good.
It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. Your website will be scanned on a daily basis for vulnerabilities and outdated software, configuration errors and it will most definitely be actively brute-forced.
Even if you don’t keep any visitor data such as emails, your website is still perfect for conducting watering hole attack or to just host malware and redirect traffic to malicious sources.
WordPress security cannot be plug-and-play. Never trust services that promise 100% security and who sell you peace of mind such as “focus on your business, don’t worry about security”. Security is a process and should be considered more as a continues risk management.
Paying a company so that you don’t have to worry or think about security creates opposite results in the long term.
When it comes to WordPress security (or any other CMS) site security, the owners and developers load their sites with multiple security plugins, because the more is better right? Unfortunately, this can cause more harm than good.
WordPress security plugins also need to be updated, and they too can have vulnerabilities. (e.q WordFence XSS vulnerability). Security plugins, especially the ones that connect the site with a web application firewall or some simpler filtering engine can create conflicts and the traffic might not be properly monitored and filtered.
Some also change the settings on a hosting environment via .htaccess and nginx.conf file. When multiple plugins try to push their own changes, you can end up with an unstable site with questionable security configurations.
We often see service providers that offer “daily malware removal”, “one-click malware removal” and similar services that seem to be working well for website owners because every time they do it, a report shows that the website is clean. And it seems to be good because it does it often.
Instead of throwing out the bad guys on a regular basis, maybe it’s time to take a real effort and instead of investing into a fancy bucket to throw water out of a sinking ship, invest into tools to keep the water out.
Malware infection is the result of a problem. Does it really make sense to focus on the consequences? As far as you don’t solve the problem, you will end up in a dead circle of infections and cleanups.
When it comes to content management systems like WordPress, it’s highly important to have a proper overview of every single component your website uses. If you’re an agency or a developer, it’s important to be able to set alerts and receive the information from a single place.
Whether it’s a vulnerable PHP version, vulnerable plugin version or a buggy theme, you want to know this information immediately. It’s not only about the internals, but the external information as well.
You should always know and be alerted about:
Comprehensive website monitoring is essential, it’s not just about up-time, it’s about the integrity and about knowing where to look at. If you know where to look at and what to improve, it will be much easier to keep the pace with the latest and modern security practices.
It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.
Web Application Firewall will monitor traffic your website recieves and will take action on malicious or suspicious traffic. Web application firewalls are of critical importance to block exploitation attempts when a vulnerability is present which is yet to be patched.
For example. WebARX web application firewall is managed and virtual patches will be distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention is our main focus and thus our firewall engine is updated on a daily basis.
First of all, we have offered remediation services and malware removal since 2014 and have tested a lot of different tools. Many of them claimed to find malware on 100% accuracy. This has never happened.
Scanners are either heuristic or pattern based and malware is always engineered to be invisible from scanners. Some scanners find malware better, some struggle with false positives and many just don’t work at all.
Over the years of experience, we have stayed to supervised remediation. It means that we use different techniques to clean up the site and make sure that not a single backdoor remains on the site.
After double checking, we install and configure a
WordPress security is much more than just a security plugin and strong passwords. It’s a process.
We tend to get lost and confused in the world of ads and marketing messages without really knowing what is good for us. If you have the proper tools, sometimes the most effective way is to just take an hour per week to
Keep in mind, security is a process,