5 Insights On The Website Security Threat Landscape

At WP Engine, we’ve got your back when it comes to website security. While we’ve covered website security extensively, it remains a hot topic that can’t be talked about enough in the news, tech, and many other industries.

In fact, we have several blog posts and white papers on the importance of SSL security, 10 WordPress security best practices, and 15 tips to harden the security of your WordPress site that offer advice on how to make your WordPress site nearly impenetrable.

However, there’s always more to elaborate on. In a recent webinar, WP Engine invited Tony Perez, CEO of Sucuri to lead a webinar to explore the topic even further.

Here’s what we learned from this insightful session:

Human errors are hacker’s favorite target

Hackers will take advantage of anything they can. Don’t give them a reason to attack your site by having poor management of site configuration, improper configuration tools, lack of active administration or all around bad habits, like weak passwords.

“This makes their tactics highly effective. Because of these weaknesses, websites get compromised—in mass—through automation. There are targeted attacks, of course. But for the masses, I’d say that approximately 95 percent of the attacks we see every day with website owners are ‘Targets of Opportunity’ or targeted attacks,” said Perez.

Perez also mentioned security is one of the last priorities that website owners neglect to address.

There are many different kinds of attacks

Types of attacks range from external to internal to reflective.

The types of external attacks hackers use are a “shotgun-like approach,” where they fire a lot of shots and see what works. For example, a “Brute-Force Attack,” is where an attacker sends a barrage of requests to the username and password fields to find the right combination.

Internal attacks can include a hosting misconfiguration and cross-site contamination.

Lastly, reflective attacks are when an attacker compromises your site by not penetrating it. This happens when you trust your site too much and encompass malvertising and third-party integration.

The order of precedence in a security attack is exploitation of software vulnerabilities, brute-force attempts, users, security misconfiguration, and cross-site contamination.

Once hackers have entered your site, they have the world at their fingertips

“A lot of the time, it’s not what they will do with your audience as it is what they will do with your resources,” said Perez. “Your website is another connected device that can be added to a larger botnet that can be used to disseminate some traffic or otherwise used to abuse or confuse online visitors.”

These resources include cross-site examination, your site’s SEO, malware distribution, search engine poisoning, phishing, sending spam email, defacement of the site, and so on.

Search engine poisoning is making use of your online authority and pushing their agenda. Say someone searches your site and clicks on a link, but instead of your site, they will be directed somewhere else. This is the fastest growing number of attacks in cyber security today.

Backdoors are also another issue to worry about. Perez said over 60 percent of infected sites we work on have some backdoor embedded within the system. For those who don’t know, backdoors ensure the attacker is able to still have access to the site, even after the attack has been fixed.

There is no single best solution to cyber security

Perez introduces the idea that he uses at Sucuri, which is “Defense in Depth.”

“It’s the idea that we deploy a series of overlapping, complementary defensive controls across our stack. This is all designed to work in unison with one another,” said Perez. “One is not better than the other. The endpoint security is not better than cloud security. They have to work together.”

Perez advised that to employ an effective “Defense in Depth” strategy, you must focus on the things you can control. You must stay ahead of the unknowns. Security is an ever-going process and not in a static state.

He emphasized that the people, process, and technology circle must all work together to make your site secure. For example, installing a plugin or tool and then forgetting to configure it is a huge security issue. Contrary to the principle of this circle is trying to find one golden thing to rely on to defend your site.

WP Engine’s commitment to security

As Perez concluded his presentation, WP Engine Security Engineer, Justin Dailey, took the mic to discuss how we at WP Engine combat malicious attacks.

WordPress core upgrades, disk write protection, active intrusion detection, managed patching and updates, and malware remediation are some of the security features on WP Engine’s WordPress hosting platform.

“At WP Engine, security is a shared responsibility between us and our customers. We do as much as we can to take some of the burden off of our customers,” said Dailey.

Conclusion

One of the biggest things to take away from the webinar is that website security is ever-changing. It must be managed by multiple security tools. Hackers will take advantage of any weakness your site has. Yet, there are many simple ways to further harden the security of your site.

You want to trust your hosting provider when it comes to website security. At WP Engine, we promote an open dialogue as well as our many secure WordPress hosting features.

Check out the entire webinar that includes slides and a Q&A.