As the internet continues to grow, so do cybersecurity concerns. Financial professionals are among those who need to be on top of their digital security as having your website hacked can result in a loss of trust from existing and potential clients. WordPress is one of the most popular CMS platforms that financial advisors use to manage their websites. Many WordPress security issues have been found to be related to plugins with vulnerabilities or outdated versions of WordPress core files. A recent report from the National Cybersecurity and Communications Integration Center (NCCIC) found that more than half of all security incidents were caused by vulnerabilities in web applications, with WordPress being a popular target for hackers due to its popularity as an open-source content management system (CMS). In this article, we will cover many WordPress security issues you need to be aware of.
Malware
Malware is a type of malicious software that can be installed on your website and created with the intent of compromising your website. Hackers can upload malware to a legitimate website's files or implant code into existing, unsuspecting files. The reason that WordPress websites are specifically vulnerable is due to outdated themes and plugins. A hacker can enter a website through this unsecured software and inject malicious software that can be used for anything from stealing your credentials and other personal information when you log in to the site, planting backdoor access so they can get back on later without being detected by security measures like two-factor authentication.
Outdated Core Software
The world’s most popular website builder for small businesses - WordPress - has been plagued by one issue after another in the past few years, with a much older computerised system that leaves it open digitally from hackers when website owners do not keep the core software up to date. Outdated WordPress software makes the site vulnerable as these important updates usually address critical security issues. If updates are not completed on a regular basis then the WordPress website will be susceptible and therefore open for potential attacks by malicious actors who seek harm.
A big advantage of using a proprietary website building platform over WordPress is that as part of your plan, developers will continuously enhance the functionality and security for you, so you don’t have to worry about keeping the system up to date.
Unsecure Themes and Plugins
One of the biggest draws to WordPress is the flexibility the platform offers. There are thousands of themes and plugins available to download in order to customise their website. However, these plugins and themes need to be handled with care, as if they are not updated regularly they can expose your website to security concerns. The reason WordPress websites are particularly at risk here is in part because the developers of these plugins are not required to adhere to a minimum security standard, which means that plugins and themes can be utilised as entry points for hackers. Another part of this puzzle is that assuming the plugin is secure, but stops being supported then the plugin will not be compatible with the latest WordPress Core update and the app will become a security vulnerability that hackers can use to gain access to the website.
Unauthorised Logins
Unauthorised logins are usually performed by a “brute-force” attack. A brute force attack is when an attacker uses a bot to guess the username and password of a WordPress website using billions of potential combinations. WordPress websites are the most vulnerable to brute force attacks because the default login page is the same for all WordPress websites - www.domain.com.au//wp-login.php. This combined with the fact that most WordPress users have the same username of “admin” means that the hacker just needs to guess the password and then they have access. Hackers also target WordPress website’s because they are so popular. With more than 60% of all new website launches now being powered by WordPress and since it powers over 20 per cent of existing sites on the web, hackers have developed automated scripts that can exploit vulnerabilities in these platforms with alarming speed.
Denial-of-Service Attacks
A Denial of Service attack, or DDoS for short, is when a perpetrator deliberately targets a specific website with so much traffic that it overwhelms the server, causing it to crash, making the website unavailable to its intended users. Once the attack has finished the server will restart and then become live again, but the damage to the company's reputation might be harder to restore. This attack isn’t specific to WordPress, but they are vulnerable if they use cheap hosting that has limited security in place.
Undefined User Roles
One key component that people often overlook when setting up their WordPress website is which roles are going to be assigned to each of the users. By default users are assigned as an administrator, which is the highest level of access that can be assigned. This becomes an issue then there are multiple users who have administrator access and one of these accounts is compromised by a brute-force attack. The attacker will then have full control over the website, allowing them to maliciously alter the website.
WordPress is the most popular website-building platform in the world, but it's also one of the least secure. According to Wordfence in 2016, there were over 4 million attacks on WordPress websites. These attacks are not only expensive to clean up after (sometimes costing thousands of dollars), they can also ruin your reputation by leaving you vulnerable to security breaches that leave your customers' personal information exposed.
At Bectre, we use a proprietary website-building platform that utilises enterprise-grade website security. Our system includes automatic website backups, DDoS protection, automatic security updates, malware protection and much more. It's what we call "Peace of Mind Website Protection." If you are interested in a secure alternative to your WordPress website, then contact us for a free, no-commitment consultation or call us on 0432 412 024.
