Cybercriminals are a serious threat to anyone who uses the internet. And website owners have even more responsibility to protect their work and users. But the good news is that the WordPress community is full of people dedicated to stopping the bad guys. And Jetpack is proud to employ some of the world’s most acclaimed WordPress security experts. It’s how we stay one step ahead of threats and provide powerful tools that make it easier for everyone to remain safe.
We sat down with Fioravante Souza, a WordPress security expert and researcher, to get his inside take.
How did security become your focus?
I got into threat research by accident. I was always passionate about computers and technology, but my focus in college was academic research. I spent time looking at all of those “boring” algorithms. But it didn’t quite work out as a career and I went looking for a job.
I started working in technical support and one of the products we supported was a famous antivirus software. One of my tasks was to help customers get their computers back online after an infection. I would look for other forms of malware that the tools couldn’t detect. The feeling of accomplishment after finding persistent malware is probably the reason I fell in love with threat research.
Is WordPress more or less vulnerable than other platforms?
According to W3Techs, 40.8% of all websites run WordPress. And 65% of all Content Management Systems! So we can safely say that WordPress is the most targeted CMS.
When we consider that WordPress has more than 50,000 free plugins available for download and thousands of premium ones sold by third-party sites, there’s a good chance that some of them were developed by inexperienced engineers who left security vulnerabilities.
What’s the first thing you recommend for WordPress security?
My top recommendation is to not use unlicensed themes or plugins. Users can do everything else right — choose complex passwords, enable two-factor authentication, limit access to the login URL, keep all of their plugins and themes updated — but if they install an unlicensed theme with a backdoor, none of that matters.
What are the most common security threats you encounter?
Backdoors are one of the most common security threats — secret ways to access a site without needing a proper username and password. And there’s a reason behind it: attackers must have a consistent way to access the site.
The majority of attacks are automated. Most security vulnerabilities, according to research from tCell by Rapid7, are patched in 38 days. So hackers have to act fast to exploit those vulnerabilities. The first thing they want to do when they enter a site is create a backdoor so that they can come back later when they decide how to best take advantage of their secret access.
We also see a lot of link farming malware, a black hat SEO technique that increases a site’s relevancy on search engines. Cryptocurrency miners are also popular but are declining.
What are hackers’ motivations? Which are most common?
As the web changed from a communication tool (think of how it was in the 1990s) to a full platform, the motivation behind attacks evolved along with it. Originally, the most common attacks were website defacements, where bad actors mostly just wanted to show off or use the defacement as a form of political protest.
As the internet gained popularity, money became more of a motivation. Attackers would add links to compromised sites to get some money from unaware users that clicked on them. It was the age of the infamous pop-ups.
Hackers saw the profits being raked in by their counterparts and found new, more creative ways to take advantage of the increased internet use — what is now known as “phishing.” Cybercriminals would purchase domain names that resembled legitimate businesses and trick people into handing over information to steal their identities or charge their credit cards.
In 2020, I’d say the top threats were link farming for SEO, command and control for botnets, injecting scripts to mine cryptocurrency, and capturing credit card information from eCommerce stores. All of these shared the same motivation: money.
The political defemations and “show offs” still exist, but they’re much more rare now.
Are there certain kinds of sites hackers seem to target?
Yes, there are. Online ones.
It sounds like a joke, but most hackers don’t target specific sites. They use automated tools to find websites and exploit known vulnerabilities. So it doesn’t matter if your site is about vegan cookie recipes or astrophysics, if it gets 100 visitors a month or 100 thousand. If it’s online, it could be attacked.
But an attack won’t necessarily be successful. It’s just an attempt to access your site. Imagine you parked your car on a busy street along with hundreds of others. If some ill-intentioned person goes car by car, trying to open the door to get inside, this person will only succeed with the cars that aren’t locked.
But we can’t ignore the fact that there are also targeted attacks. These are much more rare but also more sophisticated. Cybercriminals may use a variety of efforts to gain entrance or even create a novel solution to get the control they want. Most WordPress sites aren’t at risk for this.
What’s the most creative thing you’ve seen?
I usually don’t like to praise attacks, but there are some really creative ones out there. I have a lot of fun with code commentaries or the choice of variable names. Exotic code obfuscation (where hackers try to hide the real intention of code) is also really cool to analyze and reverse.
What’s the most disastrous thing you’ve seen?
The most disastrous thing I’ve ever seen was when a customer was running 300+ websites under a misconfigured Windows + IIS + PHP server. Not only were all the websites being constantly compromised, but the automated attacks were causing a Denial of Service because there were so many requests.
After many long days of investigation, we found that one of the websites had the PUT Method enabled, allowing the attacker to upload a backdoor. And since it was a misconfigured shared environment, one compromised website was enough to compromise all the others.
What’s the most important thing that Jetpack does?
I’m probably too biased to answer this question, but I’d say Backup and Scan. You must have backups for all your important things — car keys, wedding photos, and your website. And Scan is important so you know if your site is vulnerable or if it’s already been compromised. That way you can restore it to a clean state. For the majority of known vulnerabilities, there’s actually a one-click fix.
What are you working on right now?
As a threat researcher, I work not only to create signatures and detect emerging threats, but to increase the community’s website security awareness.
And now there’s an effort by the Jetpack Scan team to share our findings with the community as a whole, not just our users. One of my findings was recently published. It covered the dangers of unlicensed plugins and themes.
How easy is it for a complete beginner to secure their site? Where should they start?
Securing a website isn’t too complex. But it does require some effort and time.
Modern content management systems like WordPress are backed by a community, which makes them safer with every update. The same is true for plugins and themes. Developers constantly receive feedback whenever a vulnerability is found, which is why it’s important to always keep your site up to date.
Don’t accept free software from strangers. Always check the source of the theme or plugin, read the support page of those plugins, and see how the developers engage with problems. Stale plugins tend to be rampant with undisclosed vulnerabilities.
Here are a few other considerations:
- Where is your site hosted? Choosing a hosting company is like choosing a new neighborhood. You’ll definitely look at the prices, but safety is important. Make sure your site will be in its own limited area if not on a Virtual Private Server. Website cross-contamination is really common on insecure, shared hosting. See Jetpack’s recommended WordPress hosts.
- Always have a backup of your files and database, and periodically test to make sure the backups work. A backup is only helpful if it can be restored.
- Monitor your site’s files for anything suspicious that might have been added. Sometimes a file dropped at the site’s root is an early indication that your site was compromised.
- Make sure you’re using SSH or SFTP when connecting to your site’s backend and avoid public networks.
- Don’t share or reuse passwords. Choose a password manager and use two-factor authentication whenever possible. Also check if your credentials have been leaked.
Hiring a professional firm or using a WordPress Security service like Jetpack can take some of the burden off of you by automating backups, monitoring, plugin updates, and malware scans. However, practicing safe behavior is on you.
Why is it extra important for eCommerce stores to prioritize security?
In 2018, a CompTIA survey stated that, “Many Americans are willing to give retailers the benefit of the doubt if a security breach occurs, as long as they have taken significant measure to secure data.”
With that in mind, it’s better for eCommerce stores to start and keep their sites safe than deal with the effort to rebuild their trust with customers.
eCommerce websites are targeted for their buyers’ payment credentials. Credit Card information and payment services credentials (like PayPal, Stripe, etc) can be captured by bad actors who were able to inject malicious scripts on the website.
What’s one thing someone can do to boost their WordPress security right away?
One of the best moves you can make is to install Jetpack Security on your site. It’s backed by a team of WordPress experts solely focused on protecting the community. And it multiplies the power of security best practices.
Here’s what Jetpack does to protect your site:
- Jetpack Backup
- Jetpack Scan
- Jetpack Anti-spam
- Brute force attack protection
- Secure sign on
- Downtime monitoring
- Activity log
Read our post: Is Jetpack Security Enough to Protect Your WordPress Site? Or just get started and secure your WordPress site today.