CC, SOME RIGHTS RESERVED, KRISTINA ALEXANDERSON
When a big website like Lenovo's gets hacked, it's news. But most such attacks take place under the radar, at smaller sites lacking the skills or time to protect themselves. Take the legions of Wordpress-based sites, which got a rude awakening last year when many thousands of them were hacked.
Don't be one of those sites. Even if you don't use Wordpress, you can learn important lessons from what those poor blighters have been through.
The un-magic bullet: site maintenance
Quickly spinning up a Wordpress site on a hosted server is simpler than ever, but users need to understand that the sites require regular management. Cybercriminals and hackers are continuously looking for sites whose administrators use easy-to-guess passwords, inadvertently misconfigure the site, or fail to apply the latest patch.
Earlier this year, for example, security firm Zscaler found that compromised WordPress Web sites were forwarding visitors' login credentials to an attacker-controlled site. Last year, in one of the worst cases of serial compromise, a malicious program, known as SoakSoak, infected more than 100,000 Wordpress sites using a vulnerability in a popular plugin. "The beautiful thing about these applications is that they are easy to use and make it easy to get a website up online," Tony Perez, CEO of Sucuri, says. "But it's a double-edged sword--we cannot depend on the users to be able to manage the sites securely."
Security experts don't blame the content management systems, which typically take security seriously. But Wordpress sites account for 24 percent of all Web sites, and Joomla and Drupal account for another 5 percent, according to Web technology firm W3Techs. The software is under intense attacker scrutiny. Attackers have historically tried brute-force password guessing as a first assault on content management systems, followed by quickly attempting to take advantage of any just-published vulnerabilities.
Passwords are an easy problem for users to solve, but keeping up with a steady stream of vulnerabilities and patches requires diligence, says Mark Maunder, CEO of Wordpress security firm Wordfence. These three best practices will help you fend off attackers.
1. Update as soon as possible
Anyone managing their own site should either use a hosting service that manages the core content management system (CMS) updates or create a process to keep up with information on vulnerabilities that could impact their installation.
Be warned, it's a tough job. Subscribing to any vulnerability feeds for their software and plugins is a necessity to quickly patch vulnerabilities in either the CMS or its plugins. Yet, it's easy to be inundated, says Sucuri's Perez.
Sign up for CIO Asia eNewsletters.