Thursday, January 4, 2018

Don't Panic, Be Careful

I'm not recommending that anyone simply abandon the use of Wordpress as a web publishing platform. What was once a simple blogging platform turned into a full-featured CMS, and ultimately into a full featured web service architecture.

According to w3tech, fully 1/3 of websites use Wordpress for content management. (For perspective, half of all websites don't exhibit any evidence of a CMS, and the next two most popular choices, Joomla and Drupal, account for less than 6% of sites) So the Wordpress ecosystem has the benefit of a huge installed base, and a well-established mindshare.

That explains part of why the platform is a popular choice for the recent flurry of Supply Chain Attacks. There are other good reasons, but certainly when your popularity puts you well in front of the pack, you can bet you'll see attackers probing at the property line.

But that's no reason to start heading for the exits if you have a Wordpress site. It simply means that you should exercise some sensible measures to ensure careful operation.

If you've never heard of a Supply Chain Attack, you can read more about the concept, and recent attacks here at the Wordfence blog. They explain the matter fully and clearly, plus they recommend measures you can take to protect your site.

In summary, the steps I recommend are:
  • Remove any unnecessary plug-ins and themes from your site
  • Consider disabling auto-updates to themes and plug-ins except where you have a very strong confidence in the vendor
  • Use a protective system (like Wordfence) and scan for malware regularly (with something like Gravityscan)
  • If it's not possible to inspect the health of the installation regularly, consider engaging a service that routinely manages updates, backups, and security audits. Such maintenance is often not expensive.

At Schoolhouse Earth we host and maintain websites for a number of organizations, and it definitely requires some vigilance. It's not hard to do, but it is definitely comforting to have someone take care of that for you.