WordPress – according to its publicity – is the world’s most popular website builder. Consequently it is a juicy target for threat actors.
So I have a couple of questions for you.
Does your website reflect your organisation’s reputation?
Do you know if your website is built on WordPress and more importantly whether it uses WordPress plugins?
WordPress Answers
I am going to assume I know your answer to the first question. Yes, your website is part of your organisation’s reputation and message so you need it to be right. Of course.
But can you answer the second question? Do you know what software platform is used?
Even if – as is probably the case – you contract out your web design and management, you should have checked that they have procedures in place to maintain and update the core site code and any associated plugins. The contractors should also have a procedure for choosing those plugins in the first place.
Why are WordPress plugins significant?
WordPress plugins add functionality to the core WordPress code and it is remarkable what these plugins can offer, from games that can be used to market your products (we have used one of those), or take money for you, to plugins that completely take over the core code and allow nearly unlimited design options.
Some are produced by highly reputable companies that work hard to maintain security and reliability, others are not. Before a plugin is even considered it should be checked out.
WordPress plugins are a target for threat actors because there are a lot of them in use and there are sure to be flaws in some of them that can be exploited. That exploitation will get to the heart of your organisation’s message and reputation if a flawed, unpatched plugin is used on your site.
What do we do? Part 1.
When we are working with a client on their cyber security plan, we have a checklist that we work through with their web designer. This covers all the points the web designer should be addressing for our clients. We have found that normally most of the issues are covered but we often find holes. In those cases, we work with the web designers to fix them for our clients.
What do we do? Part 2.
Why did I write this blog?
Elementor is a very popular WordPress plugin, in use on over a million websites. I discovered that it had a bug that was being exploited – I reported on this over on Smart Thinking. The Elementor team rapidly issued a patch to fix the bug and stop further possible exploitation. We use Elementor on the CyberAwake website – so before I reported on the issue on Smart Thinking and wrote this article, I contacted my partner at CyberAwake and checked with him that we had patched the bug. We had!
With that done, having practised what I preach, I could write the stories.
Other website platforms
WordPress is not the only website builder out there, of course. The most recent web designer we worked with for a cyber security client used Craft CMS, but the same framework we used applied.
WordPress. So I ask again:
Do you know?
If not then start a conversation with your web designers or us.
Next week
Code!
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
What do you know about your website? – CyberAwake
WordPress Elementor plugin bug let attackers hijack accounts on 1M sites (bleepingcomputer.com)