National Cyber Security Awareness Month: You Could Be the Biggest Threat to Your WordPress Site
October is National Cyber Security Awareness Month in the U.S., and this year’s theme is “See Yourself in Cyber.” What is really being said by this theme is that we all have a role to play in cyber security, whether we work in the industry or not. With this in mind, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have identified four key areas where we can all take action to protect our presence online, and work to keep others safe. These same concepts can be used to help secure WordPress sites as well.
Think Before You Click
The idea behind this concept is that you should always be on the lookout for phishing attempts. This is true in general, but also applies specifically to anyone who is an administrator of a WordPress site. Anyone who is in this role is likely very familiar with receiving emails from their website that advise of available updates, or comments that need to be moderated, and plenty of plugins have their own reasons for sending emails to administrators as well. As most administrators don’t log into the admin panel daily, these emails are often a critical part of the site management workflow.
WordPress is currently used on over 40% of all websites, making it both well-known and a large target for threat actors. What this means is that threat actors are aware of the emails that website administrators are used to receiving, and can likely duplicate them with relative ease. Whenever you receive an email from your website, it is best to check that any links do not contain domain names from other websites before clicking, or better yet log into the admin panel directly and navigate to the page that needs your attention.
Even more important than checking links in the emails you are used to receiving is checking links in emails you aren’t expecting. We recently discussed how links can be manipulated to enable a complete account takeover, among other malicious activities. By remaining vigilant and checking the actual URL being used, these types of attacks can be avoided.
Update Your Software
One of the best ways to keep a website secure is to ensure that any software being used is regularly updated with the latest security updates. In WordPress, this means keeping your core WordPress version up to date, as well as any themes or plugins that are installed. Automatic updating of the WordPress core was added in WordPress 3.7, and WordPress 5.5 added the ability to update themes and plugins automatically.
Despite the ability to update all of this software automatically, many site administrators allow their websites to run on outdated versions, many of which contain security vulnerabilities. Some may have reasons for using older versions, such as theme or plugin compatibility issues. However, these issues should be resolved as quickly as possible, finding replacement themes or plugins if necessary. If leaving outdated software active on the site is a matter of convenience, then automatic updates should be enabled to ensure vulnerabilities are patched as quickly as possible. Feel free to refresh your memory on when to choose auto-updates over manual review in this article we published back in 2020 when auto-updates for plugins and themes came out.
The majority of the targeted attack attempts we see are attempting to make use of vulnerabilities in outdated plugins. As threat actors become aware of vulnerabilities, they also know they can find success in exploiting those vulnerabilities because of the number of administrators who allow outdated plugins to remain active on the website. The simple act of updating all of the site software is one of the simplest ways to prevent the success of an exploit attempt.
Use Strong Passwords – and a Password Manager
It can’t be stated enough that passwords need to be as strong as possible. Threat actors have been looking for ways to get into user accounts since the dawn of the modern era of computing, and they have a number of tools at their disposal to guess or “crack” passwords. The stronger the password, the lower their chance of success. Longer passwords are considered more secure, with current recommendations calling for a minimum of a 16-character password wherever possible. Each password should only be used to log into a single account. This means that individuals should have strong and unique passwords for each and every account they have from WordPress to Gmail and everything in between.
While the requirement to use a unique password for every account may sound like overkill to some, there is a very good reason for it. A type of attack known as credential stuffing is easily prevented simply by using unique passwords. Credential stuffing consists of using known usernames and passwords to try to log in to as many accounts as possible. If credentials from an account are leaked in a data breach, stolen through phishing, or otherwise obtained by a malicious actor, they are often able to gain access to multiple accounts simply by using those same credentials in other accounts, such as Gmail, banks, and of course WordPress.
Another common method of guessing a password is what is known as a dictionary attack. This type of attack utilizes techniques like trying lists of common passwords, or even seemingly random strings, in the password field to attempt to find one that provides access to the account. In the last 30 days, we have blocked 4,239,859,063 password attack attempts, which highlights the importance of using a strong password to keep malicious actors out of accounts.
Using long passwords that are unique for each account can seem intimidating, especially once you consider that the average person has around 100 different accounts that need passwords. This is where password managers come in. Most password managers can automatically generate secure passwords, and securely store those passwords to easily copy and paste into login forms. There are a number of password managers available, all with their own set of features and use-cases. Ultimately, which password manager you use is far less important than the fact that you are using one, so use the one that fits your needs the best.
Refresh your memory with 10 of the most common password mistakes we’ve seen and employ techniques to mitigate the risks of each one.
Enable Multi-Factor Authentication
While strong passwords are important, enabling multi-factor authentication (MFA) is one of the most effective methods of preventing unauthorized account access. According to details provided in a White House press briefing, 80-90% of all cyber attacks can be prevented with the implementation of multi-factor authentication (MFA). There are various forms that MFA can take, but the basic idea behind it is that you are using something you know (password), along with something you are like biometrics or something you have such as a smartphone or usb device, to provide access.
What makes MFA so effective is the fact that it requires at least one additional form of authentication that a malicious actor is not likely to possess with the first factor. This means that even if a threat actor obtains a username and password through a phishing scam, they still won’t have access to the smart card, MFA token, or other additional form of authentication required. Most MFA methods are also relatively simple for the authorized user to utilize, and combining this with strong unique passwords that are stored in a password manager can even be more convenient for the user than trying to remember password variants that work with the various password requirements of their accounts. As a reminder, Wordfence makes it incredibly easy for site owners to set-up MFA for all Wordfence users.
National Cyber Security Awareness Month is a great time to review our personal and professional security hygiene. Each year a different theme is chosen, based on the areas that have been observed to need the most improvement. The specific behaviors and techniques highlighted should be reviewed and applied everywhere possible. Following this year’s theme of “See Yourself in Cyber” we gain the understanding that cyber security is everyone’s responsibility, and that we can apply new behaviors to avoid phishing and vulnerabilities, as well as better secure access to our accounts.
In addition to the suggestions provided by CISA and NCA, it is important for WordPress site administrators to implement a security solution like Wordfence to block attack attempts that take advantage of known and unknown vulnerabilities, as well as detect malware that may find its way into a website. Wordfence Free, Premium, Care, and Response provide the additional security that good cyber security hygiene can’t always cover.
If you believe your site has been compromised, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
This article was written by Topher Tebow, a former Wordfence Threat Researcher.