Understanding and Managing Threats and Vulnerabilities

In a recent livestream, WordPress Security expert Timothy Jacobs discussed various threats posed by hackers and resulting from poor security practices. He also walked through Solid Security Pro settings and engaged in a live Q&A at the end.

Read on to learn more.

Front Door Security Threats

Login Security

Weak passwords lead to brute force attacks. Brute force attacks refer to a trial and error method used to discover username and password combinations in order to hack into a website. The brute force attack method exploits the simplest form of gaining access to a site: by trying to guess usernames and passwords over and over again until they’re successful.

If you’ve got weak passwords on your site, attackers can get into your site and perform any actions as if you were you.

Another login security issue is when people reuse passwords. We are inundated with data breaches. Tons of usernames and passwords exist in these data breaches. Instead of attackers trying different varions of your password, they just go through these lists and assume a certain amount of users are reusing the same password on their sites. These are called credential stuffing attacks. This can be a huge risk. Even if you are using a really strong password, if it’s the same password that you are using on another account and that account gets compromised, you are at risk.

This is not just about the administrators on your site. You also want to keep in mind the reputational damage that you can have when your site gets hacked. Just late last year 23andme had millions of data that was exposed because their users were not using strong passwords or they were reusing passwords. 23andme didn’t enforce two-factor security or enforce that users use passwords that weren’t compromised. People tend to make the easy choice. If you let them type in a password that’s just password, they might just go ahead and do it. So, you’ll need to mandate that the users on your site use security best practices.

Thomas Raef with We Watch Your Website discovered that 7.2% of the hacked websites that he was monitoring were due to these types of account compromises, either through passwords, credential stuffing, or things like that. How do we protect ourselves against this threat? Well, if you’re a Solid Security user, enable things like brute force protection and require that users use strong passwords. You can prevent users from using those breached passwords by partnering with a service like Have I Been Pawnd.

You can slow down bots further by using CAPTCHAs. We integrate with reCAPTCHA from Google, Cloudflare’s Turnstile, and hCAPTCHA. Use any of those services to help protect your login page.

The other thing that you want to do is use two-factor authentication. Data from Google from a couple of years ago talks about how effective two-factor authentication is at preventing account takeovers. If you’re using an SMS code, a security key, or a two-factor code, that can protect against 100% of automated attacks. It can prevent 95% or more of bulk phishing attacks. And it can even prevent a large majority of targeted attacks on your site. Bottom line, you should be using two-factor authentication.

What’s better than two-factor authentication? Passwordless login. A great way to protect your site is to use Passkeys. Check out the webinar we did called Let’s Kill the Password. It dives into the future of authentication and how you can use Passkeys.

Access Management

Let’s say you have an administrator on your site. When that person’s responsibilities change or they move to a different team, is their access getting updated? Do you have a proper process in place to make sure that ex-employees don’t still have access to your websites? How do you take care of that?

Make liberal use of roles in WordPress. There are administrators, editors, authors, and contributors. Using plugins, you can even create custom roles. Never give out administrator access unless they absolutely need it.

Also, use privilege escalation features. In Solid Security, you can give a user temporary administrator access, temporary admin access, or temporary editor access. And in the timeframe you configure, their access will automatically expire.

Scan for inactive users using Solid Security’s site scan feature. You will be notified if a user on your site hasn’t logged in for 30 days. At that time, you can determine if they need to be removed or reduced to author privileges. You can keep these users at a lower account level until they need administrator access again.

When you give out access to people, document it. Put this information in a spreadsheet and use it as a checklist. This way, you’ll know for sure that you removed access to a particular user for all of your sites.

Back Door Security Threats

Vulnerable Software

Software includes WordPress Core, plugins, and themes you’re using on your site. Thomas’s research over the past year shows that 33% of the hacked websites were due to running vulnerable software. However, not all vulnerabilities are created equal. A Remote Code Execution is not the same as a Self-Cross-Site Scripting attack. How do you prioritize the vulnerabilities you may come across?

There is this concept of CVSS scores. They range from zero to 10 and help us indicate the severity. An issue that is a high severity issue would be an 8.0, 9.8, or a 10. A low-severity issue would be a two or a three. This does not mean that you should ignore low-severity issues. It does, however, help you prioritize the higher-severity vulnerabilities you have on your site so you can take care of those first.

There are also tools like Patchstack, which we partner with at Solid Security, that can help you determine that priority. For instance, in the Patchstack database, which we link for you whenever we find a vulnerability in your site, it lists the priority for you. You may find a vulnerability that says to ‘patch within 7 days’ and indicates it as a medium priority. Others may be classified as ‘patch immediately’ as it is a critical issue.

When WordPress has a security problem, it affects millions of sites. However, WordPress pushes out security updates automatically. This is turned on by default. Be sure this is enabled for security updates.

You should also set up automated scans to detect new vulnerabilities. In Solid Security, there is a feature that will scan your site multiple times per day. If it detects new vulnerabilities, it will email you and catalog them all on the vulnerabilities page. You can see exactly what vulnerabilities are affecting your site, which ones have been resolved, which ones you need to take action on, and which ones have been mitigated. All of those details are available for you in one central place.

Also, be sure to enable auto-updates for security releases in Solid Security. Because we know the vulnerabilities that are on your site and we know which versions those vulnerabilities were fixed, we can automatically update you to that fixed version.

Be sure to enable virtual patching to keep your site safe when you cannot. Let’s say a vulnerability was published in the middle of the night while you’re sleeping. Or maybe this site is complex with tons of different WooCommerce extensions and there is a WooCommerce vulnerability. Can you update it right away or do you need to test it out on a staging environment? Virtual patches can keep you safe in these scenarios.

What is virtual patching? This is a feature provided by Patchstack. It lets us deploy targeted firewall rules to your site to block a specific attack. These are rules that only need to run when absolutely necessary to keep your site running fast. They block specific tasks that are actually affecting your site and can be deployed very quickly, mitigating the risk that attackers can exploit the vulnerability.

Keep in mind, however, that these are patches. You still need to update to make sure that you get the vulnerability fully resolved.

Be sure you’re scheduling a time for updates. Our recommendation is at least once a week. As we’ve seen over the past couple of years, the percentage of vulnerabilities that get reported every week is astronomically more now than it was five years ago. Scheduling updates once a month no longer cuts it. This should be a task that you’re doing at least once a week. When you go into your site and you’re looking at the list of vulnerabilities, prioritize the ones that are high-severity issues that have a high CVSS score.

You can also work with hosts like Nexcess that provide automatic updates. Setting up with a host that provides visual regression tests can give you the confidence to automatically update your plugins. And if you’re a Solid Suite customer, you have access to Solid Central. With Solid Central, you can apply updates across all of your sites.

Other Types of Threats

What about those attacks that are happening underneath your nose? These are session stealing attacks or session hijacking. This is when malware that is installed on your device steals the actual cookies that are in your browser. These cookies then get sent to an attacker’s botnet or they’re sold elsewhere. With these cookies, an attacker is able to fully impersonate your user and gain the capabilities of whatever user they compromised. This means that it bypasses traditional protections like brute force or two-factor. There’s no point when the users are prompted for a two-factor code because WordPress thinks that they’ve already authenticated.

Thomas Raef found that this was the majority of attacks over the past year, with 60% being session stealing attacks. What should we do about these?

Keep your computer secure. Running a firewall, using the built-in antivirus tools for your computer, and making sure that you click on only trusted links are some of the ways you can keep your computer secure. If your personal device gets compromised, all of the sites that you access can get compromised. Do not log into your website on public or shared devices.

You can also use additional security plugins that implement controls on session management. We have a feature in Solid Security called trusted devices. Trusted devices alerts users when their login credentials are used on new and unknown devices. We additionally have features called restrict capabilities. When someone is on your site from an unknown device, it prevents them from performing sensitive actions like deleting plugins, installing plugins, or creating new users until that device has been confirmed as safe.

Be sure to use session hijacking protection to help prevent exactly this kind of attack. If an attacker steals your session and is suddenly logging in from another country instead of where you’re based, you can block the attacker from using that new device.

Final Thoughts

Security is a factor of the weakest links. We all have these different features in the plugin. But if you’ve got weak passwords, even if you have all of your plugins up to date, just one admin account can leave your site compromised. One plugin with an unpatched critical security issue can leave your site compromised. Even if all of your accounts are using 64-character, fully random passwords, two-factor authentication, and passkeys, a critical vulnerability can take your site down.

The emphasis here is to use every tool that is available to you. Use the features in Solid Security. Don’t just use strong passwords. Be sure to use two-factor authentication, passwordless login, and trusted devices. If you don’t have them enabled, you won’t be protected.

Watch the Livestream Replay

During this livestream replay, Timothy Jacobs helps you understand and manage threats and vulnerabilities so you know what needs your attention first, how to use Security tools like Solid Security Pro to view, rank, and respond to threats, and how to harden your site moving forward.