|Read more about this book|
(For more resources on WordPress, see here.)
You may think that most of this is irrelevant to WordPress security. Sadly, you’d be wrong.
Your site is only as safe as the weakest link: of the devices that assist in administering it or its server; of your physical security; or of your computing and online discipline. To sharpen the point with a simple example, whether you have an Automattic-managed wordpress.com blog or unmanaged dedicated site hosting, if a hacker grabs a password on your local PC, then all bets are off. If a hacker can borrow your phone, then all bets are off. If a hacker can coerce you to a malicious site, then all bets are off. And so on.
Let’s get one thing clear. There is no such thing as total security and anyone who says any different is selling something. Then again, what we can achieve, given ongoing attention, is to boost our understanding, to lock our locations, to harden our devices, to consolidate our networks, to screen our sites and, certainly not least of all, to discipline our computing practice.
Even this carries no guarantee. Tell you what though, it’s pretty darned tight. Let’s jump in and, who knows, maybe even have a laugh here and there to keep us awake.
So what is the risk? Here’s one way to look at the problem:
RISK = VULNERABILITY x THREAT
A vulnerability is a weakness, a crack in your armour. That could be a dodgy wireless setup or a poorly coded plugin, a password-bearing sticky note, or an unencrypted e-mail. It could just be the tired security guy. It could be 1001 things, and then more besides. The bottom line vulnerability though, respectfully, is our ignorance.
A threat, on the other hand, is an exploit, some means of hacking the flaw, in turn compromising an asset such as a PC, a router, a phone, your site. That’s the sniffer tool that intercepts your wireless, the code that manipulates the plugin, a colleague that reads the sticky, whoever reads your mail, or the social engineer who tiptoes around security.
The risk is the likelihood of getting hacked. If you update the flawed plugin, for instance, then the threat is redundant, reducing the risk. Some risk remains because, when a further vulnerability is found there will be someone, somewhere, who will tailor an exploit to threaten it. This ongoing struggle to minimize risk is the cat and mouse that is security.
To minimize risk, we defend vulnerabilities against threats.
You may be wondering, why bother calculating risk? After all, any vulnerability requires attention. You’d not be wrong but, such is the myriad complexity of securing multiple assets, any of which can add risk to our site, and given that budgets or our time are at issue, we need to prioritize. Risk factoring helps by initially flagging glaring concerns and, ideally assisted by a security policy, ensuring sensible ongoing maintenance.
Securing a site isn’t a one-time deal. Such is the threatscape, it’s an ongoing discipline.
An overview of our risk
Let’s take a WordPress site, highlight potential vulnerabilities, and chew over the threats.
WordPress is an interactive blogging application written in PHP and working in conjunction with a SQL database to store data and content. The size and complexity of this content manager is extended with third party code such as plugins and themes. The framework and WordPress sites are installed on a web server and that, the platform, and its file system are administered remotely.
WordPress. Powering multi-millions of standalone sites plus another 20 million blogs at wordpress.com, Automattic‘s platform is an attack target coveted by hackers. According to wordpress.org 40% of self-hosted sites run the gauntlet with versions 2.3 to 2.9.
Interactive. Just being online, let alone offering interaction, sites are targets. A website, after all, is effectively an open drawer in an otherwise lockable filing cabinet, the server. Now, we’re inviting people server-side not just to read but to manipulate files and data.
Application, size, and complexity. Not only do applications require security patching but, given the sheer size and complexity of WordPress, there are more holes to plug. Then again, being a mature beast, a non-custom, hardened WordPress site is in itself robust.
PHP, third party code, plugins, and themes. Here’s a whole new dynamic. The use of poorly written or badly maintained PHP and other code adds a slew of attack vectors.
SQL database. Containing our most valuable assets, content and data, MySQL, and other database apps are directly available to users making them immediate targets for hackers.
Data. User data from e-mails to banking information is craved by cybercriminals and its compromise, else that of our content, costs sites anything from reputation to a drop or ban in search results as well as carrying the remedial cost of time and money.
Content and media. Content is regularly copied without permission. Likewise with media, which can also be linked to and displayed on other sites while you pay for its storage and bandwidth. Upload, FTP, and private areas provide further opportunities for mischief.
Sites. Sites-plural adds risk because a compromise to one can be a compromise to all.
Web server. Server technologies and wider networks may be hacked directly or via WordPress, jeopardizing sites and data, and being used as springboards for wider attacks.
File system. Inadequately secured files provide a means of site and server penetration.
Administered remotely. Casual or unsecured content, site, server, and network administration allows for multi-faceted attacks and, conversely, requires discipline, a secure local working environment, and impenetrable local-to-remote connectivity.
Meet the hackers
This isn’t some cunning ploy by yours-truly to see for how many readers I can attain visitor’s rights, you understand. The fact is to catch a thief one has to think like one.
Besides, not all hackers are such bad hats. Far from it. Overall there are three types-white hat, grey hat, and black hat-each with their sub-groups.
One important precedent sets white hats above and beyond other groups: permission.
Also known as ethical hackers, these decent upstanding folks are motivated:
- To learn about security
- To test for vulnerabilities
- To find and monitor malicious activity
- To report issues
- To advise others
- To do nothing illegal
- To abide by a set of ethics to not harm anyone
So when we’re testing our security to the limit, that should include us. Keep that in mind.
Out-and-out dodgy dealers. They have nefarious intent and are loosely sub-categorized:
A botnet is a network of automated robots, or scripts, often involved in malicious activity such as spamming or data-mining. The network tends to be comprised of zombie machines, such as your server, which are called upon at will to cause general mayhem.
Botnet operators, the actual black hats, have no interest in damaging most sites. Instead they want quiet control of the underlying server resources so their malbots can, by way of more examples, spread malware or Denial of Service (DoS) attacks, the latter using multiple zombies to shower queries to a server to saturate resources and drown out a site.
These are hackers and gangs whose activity ranges from writing and automating malware to data-mining, the extraction of sensitive information to extort or sell for profit. They tend not to make nice enemies, so I’ll just add that they’re awfully clever.
Politically-minded and often inclined towards freedom of information, hacktivists may fit into one of the previous groups, but would argue that they have a justifiable cause.
While not technically hackers, scrapers steal content-often on an automated basis from site feeds-for the benefit of their generally charmless blog or blog farms.
This broad group ranges anything from well-intentioned novices (white hat) to online graffiti artists who, when successfully evading community service, deface sites for kicks.
Armed with tutorials galore and a share full of malicious warez, the hell-bent are a great threat because, seeking bragging rights, they spew as much damage as they possibly can.
Again not technically hackers but this vast group leeches off blogs and mailing lists to promote their businesses which frequently seem to revolve around exotic pharmaceutical products. They may automate bomb marketing or embed hidden links but, however educational their comments may be, spammers are generally, but not always, just a nuisance and a benign threat.
Not jargon this time, this miscellaneous group includes disgruntled employees, the generally unloved, and that guy over the road who never really liked you.
Grey hatters may have good intentions, but seem to have a knack for misplacing their moral compass, so there’s a qualification for going into politics. One might argue, for that matter, that government intelligence departments provide a prime example.
Hackers and crackers
Strictly speaking, hackers are white hat folks who just like pulling things apart to see how they work. Most likely, as kids, they preferred Meccano to Lego.
Crackers are black or grey hat. They probably borrowed someone else’s Meccano, then built something explosive.
Over the years, the lines between hacker and cracker have become blurred to the point that put-out hackers often classify themselves as ethical hackers.
This author would argue the point but, largely in the spirit of living language, won’t, instead referring to all those trying to break in, for good or bad, as hackers. Let your conscience guide you as to which is which instance and, failing that, find a good priest.
Physically hacked off
So far, we have tentatively flagged the importance of a safe working environment and of a secure network from fingertips to page query. We’ll begin to tuck in now, first looking at the physical risks to consider along our merry way.
Risk falls into the broad categories of physical and technical, and this tome is mostly concerned with the latter. Then again, with physical weaknesses being so commonly exploited by hackers, often as an information-gathering preface to a technical attack, it would be lacking not to mention this security aspect and, moreover, not to sweet-talk the highly successful area of social engineering.
Physical risk boils down to the loss or unauthorized use of (materials containing) data:
- Break-in or, more likely still, a cheeky walk-in
- Dumpster diving or collecting valuable information, literally from the trash
- Inside jobs because a disgruntled (ex-)employee can be a dangerous sort
- Lost property when you leave the laptop on the train
- Social engineering which is a topic we’ll cover separately, so that’s ominous
- Something just breaks … such as the hard-drive
Password-strewn sticky notes aside, here are some more specific red flags to consider when trying to curtail physical risk:
- Building security whether it’s attended or not. By the way, who’s got the keys? A cleaner, a doorman, the guy you sacked?
- Discarded media or paper clues that haven’t been criss-cross shredded. Your rubbish is your competitor’s profit.
- Logged on PCs left unlocked, unsecured, and unattended or with hard drives unencrypted and lacking strong admin and user passwords for the BIOS and OS.
- Media, devices, PCs and their internal/external hardware. Everything should be pocketed or locked away, perhaps in a safe.
- No Ethernet jack point protection and no idea about the accessibility of the cable beyond the building.
- No power-surge protection could be a false economy too.
This list is not exhaustive. For mid-sized to larger enterprises, it barely scratches the surface and you, at least, do need to employ physical security consultants to advise on anything from office location to layout as well as to train staff to create a security culture.
Otherwise, if you work in a team, at least, you need a policy detailing each and every one of these elements, whether they impact your work directly or indirectly. You may consider designating and sub-designating who is responsible for what and policing, for example, kit that leaves the office. Don’t forget cell and smart phones and even diaries.