Happy That You're Using Wordpress for Your Website? So Are the Hackers!
by Tom Snyder on Jan 18, 2017
While hacking continues to be the hot topic of the day in political news, for those of us in the web development business, it's been top of mind for decades.
Because hack attempts are almost as certain as death and taxes, everyone who takes security seriously maintains vigilance and takes care to make it more difficult for hackers to find a way to get into their websites or email. They use strong passwords, hardened firewalls, and solid security compliance standards that keep their web site platforms constantly updated. In so doing, they minimize their chance of having miscreants steal valuable personal or customer information, or take control of their digital presence to launch trojans and viruses on other computers, email accounts and networks.
As a web development leader, our mission has been to protect our client sites and email accounts from near constant hack attempts for decades.
So we all laughed when we heard that one of the email accounts that was hacked in the recent election was vulnerable because the password was "password." But we found it ironic that many of those who laughed at that lack of concern for security still run their websites on WordPress.
WordPress is an open-source blogging tool that uses plug-ins to extend its capabilities and provide much of the functionality that content management systems like Drupal, Joomla! and Concrete5 or e-commerce platforms like Magento have had all along. Even though its back-end administrative UX is not very user-friendly, thousands of $48 themes and $15 plug-ins are available to provide small businesses, freelance designers and small agencies to create good-looking, but generic low-cost websites. That combination has allowed Wordpress to grow to host 27% of all the websites in the world.
It has also contributed to it becoming the most hacked platform on the web.
Hardly a week goes by without news stories reporting another phishing scam going viral. Hackers create bots to scour the web, identify thousands of hackable sites, then create fake bank, branded customer service or eCommerce login pages on those sites. They then use the mail program on those servers to send out millions of emails luring unsuspecting recipients to those pages to enter personal or credit card information where it's harvested and used for criminal purposes.
According to a 2016 study done by a leading website security analysis firm*, 78 percent of those hacked websites ran on WordPress. Joomla! was a distant second with 14%, 5% were running on Magento, 2% ran on Drupal. Concrete5 didn't even show up.
Trivera requires that whenever a client of ours insists that we build their site on Wordpress (usually against our recommendation) that they have a service agreement that assures that we'll apply security patches immediately upon their release. Because we've learned from history, that agreement always also includes support provisions for mitigating hack attacks.
Whenever I check my spam folder to make sure a legitimate email hasn't ended up there, I find several emails that have been sent by a WordPress site attempting to get me to go there and either enter my information or get infected by a trojan. Just last week, I found two more, which provided me with the impetus for this blog. One was running an older version of Wordpress with a widely known vulnerability (see image below).
Example of a falsely-branded email sent from a hacked un-patched Wordpress site with a link to a that same site that autoforwards to another site that, without anti-virus protection would have infected my computer with a virus, torjan or ransomware.
But it's not just old, non-updated versions of WordPress with well-known vulnerabilities that are being hacked. The other email I received last week sent me to a hacked WordPress site running the most current version available at the time. Hackers had found and exploited a vulnerability before Wordpress even had a chance to identify and send a patch to close the vulnerability.
Example of a falsely-branded email sent from a hacked totally current Wordpress site with a link to a that same site that autoforwards to another site that, without anti-virus protection would have infected my computer with a virus, torjan or ransomware.
With WordPress, the question is not whether your site will get hacked, but when it will get hacked.
Smart marketers and business owners spend more to hire developers with a greater sensibility for security build their websites using content management systems…like Concrete5, Magento, Joomla! And Drupal…that have a much lower risk of being hacked. It will cost more, but avoiding the legal, reputational and financial damage to your business and your brand when your site has been found responsibe for the theft of visitor information makes it an investment worth the price.
*Sucuri Website Hacked Report 2016 Q1