WordPress is one of the most popular content management systems, and for a good reason. It’s easy to use, can be used with thousands of available themes and plugins, and you can create any type of website with it. No wonder WordPress supports 40.5% of all websites on the Web.
But this popularity comes with a price. WordPress is often attacked by hackers and insiders. Thus, if an employee, who recently filed for retirement, starts copying large amounts of data from the company’s network to his USB drive, there may be, in fact, no planned malice. Maybe that person just needs to save some useful information files needed for the next job. Unfortunately, situations when a resigning employee shares confidential product information, important legal data, personal employee data, or trade secrets competitors are also quite popular.
Some companies may struggle to even detect such insider risks, let alone differentiating between routine employee behavior and anomalies that threaten competitive advantage or the company’s reputation.
Today we’ll take a look at how you can significantly reduce the likelihood of data leaks from your WP media site and prevent insider threats. Note that some plugins like AI chatbots store the data outside of your WP site and are not at risk.
Effortlessly export your Google Docs to WordPress with just 1-click.
Get Started Today
You’ve probably heard about that story with the WPML WordPress plugin when in 2019 a former employee used an old SSH password to gain access to a genuine WPML address and sent a concerning email about “security holes” to all users of the plugin. However, there were in fact no “holes” or any vulnerability at all. That was nothing but a typical insider threat from an unhappy employee.
Insider threats happen more often than you might think. According to a recent poll, 55% of respondents stated that their organization had suffered an insider attack in 2020. Insiders are involved in slightly less than a third of all cybercrimes. The PwC survey found that service providers, regular employees, and contractors are all responsible for a huge number of security breaches. A third of executives reported that web attacks committed by trusted (trained) insiders resulted in huge losses (both financial and reputational) for their company.
Insider threats are tough to protect from. It takes a certain level of trust for employees to do their job. If they decide to misuse that trust, there isn’t much that the owner can do until the damage is actually done. But there are a few ways that security-conscious business owners can take to reduce the risk of insider threats to their WordPress media sites.
Site protection is a complex process, therefore, you have to apply as many methods of protection as possible. We’d say, you even need to be a little paranoid in this regard. In other words, if you apply 1 or 2 methods, it will, of course, improve the situation but only slightly. More than that – even if you apply absolutely all methods, it will not fully protect your site from hacking, although it will significantly reduce the likelihood of a hack attack. Which is what you need. You can prevent these attacks by using the advanced security solutions that offer full control over the website.
Here is a nice hack example that reflects the whole essence of protection. Hacking is when something gets hacked (duh) or broken, i.e., there is something to break. Otherwise, i.e. when there’s nothing to break, it’s no longer a hack.
If, say, you left your apartment door open or left the keys in it and got robbed, then your apartment wasn’t really cracked – they just entered it, took what they needed, and left. The same goes for a website – if you haven’t taken any measures to secure your site, then, if something goes wrong with it, it won’t be a hack. Therefore, to make it harder for intruders or insiders to break in or steal your data, you should at least “lock the doors.”
Your employees have to be acknowledged regarding their privacy, i.e. they have to know basic security rules to prevent any data leaks. Thus, you have to at least forbid them to share their passwords or any authentication credentials, even if it seems convenient to them. You should also introduce multi factor authentication, or even better yet—use Descope to add strong passwordless authentication for advanced security measures.
While anti-malware, anti-virus software, and email search tools can help identify such malicious emails, social engineering is best dealt with through employee education.
Social engineering, in the context of information security, is the psychological manipulation of people to take certain actions or disclose confidential information.
Employees should be educated on how they may be approached by outside intruders and how they should respond to various suspicious requests. Understanding social engineering is necessary to prevent it. Employees should also be tested to identify any potential weaknesses among your staff.
Your company teams also have to avoid using suspicious WP themes and always try to minimize the number of plugins they use. It is always better to consult cybersecurity companies like Castra for additional threat protection.
At the moment there’s a huge number of different WP plugins that solve almost any problem.
But the more plugins installed on your media site, the greater its vulnerability. Why? Check out the following reasons:
Say, you need a feedback form on your site – instead of putting 2-3 plugins or some ContactForm 7, you can create the form “manually.”
Of course, there are plugins that you simply can’t do without – the advice is not to completely abandon them but to choose only time-tested solutions, and if possible, do without them.
Unfortunately, employee education can be insufficient. Sharing confidential employee data publicly or with third parties outside the company can be disastrous. This usually happens inadvertently, e.g. they can use the “Reply All” button instead of the regular “Reply”. Then the information is sent to the wrong email addresses or something is inadvertently publicly disclosed.
To address these risks, managed services providers offer valuable solutions like Data Loss Prevention (DLP) tools. These custom software tools help organizations keep track of sensitive data and ensure that its transmission, whether via email or other Internet services, is restricted or blocked entirely. By partnering with managed IT services, companies can proactively safeguard their data against human errors and security breaches.
Unauthorized third-party software, apps, or web services are often difficult for IT to track, hence the “shadow IT” term. The reasons for shadow IT’s prevalence are quite simple: employees use popular apps (such as email tracking) due to habit because they increase their efficiency and reduce workload or are more user-friendly than company-approved alternatives.
This can become quite problematic because companies are unaware most of the time, essentially creating a blind spot in cybersecurity strategies. Another threat is the low-security level of these third-party services, which can lead to data leaks.
Shadow IT usually results from a company’s inability to provide employees with the tools they need to do their jobs. Organizations should have an open dialogue with their employees to understand their technology needs and do what they can to meet them. High-quality DLP tools can also help companies prevent employees from uploading sensitive information to these unauthorized services and, by monitoring these attempts, better understand shadow IT in their organization.
Here’s a list of reliable DLP tools and services you can use to protect your company data:
No shared accounts. Every staff member of your team needs their own user account for everything. If, of course, they need them at all. The point is that nobody can use their old passwords once they’re no longer in the team.
In other words, you have to make sure that no ex-employees will be able to access their old account and steal your company data.
We have already given the analogy (there must be a lock on your doors). If your password is simple, there is no lock in this case, or, more precisely, intruders have the key. Therefore, we highly recommend using strong passwords and, ideally, store them in your head only. Don’t forget to periodically change your passwords everywhere even if your server is using radius security, especially if your WP site has already been hacked before.
This refers to complex passwords for access to your administrative panel, hosting control, personal account, database, etc. In other words, your passwords must be necessarily complex.
A complex password has at least 8 characters, which have to be numbers, capitals, regular letters, and, of course, special symbols.
If you run a WordPress blog, or rather a blog with multiple authors, you need to deal with multiple individuals accessing your admin panel. This can make your site more vulnerable to security threats.
You can use plugins like Password Protect WordPress (PPWP) if you want to make sure all the passwords users create are secure. It’s just a precaution but it’s better than having multiple users with weak passwords.
Remember, always use complex passwords, both for the site and for anything else where a password is required, since a simple password, such as one consisting of 3-4 digits, can even be manually picked in a couple of minutes.
Many data protection policies focus on transferring data outside the corporate network over the Internet or via portable devices, such as USB drives. However, companies should be aware that simply having data on a portable device increases the risk of data breaches, especially if the device is lost or stolen. This is where a DPIA or Data Protection Impact Assessment can come into play. What is a DPIA? It is a process that helps organizations identify and minimize privacy risks associated with new projects or initiatives involving personal data. Conducting a DPIA can help companies identify potential vulnerabilities, such as data stored on portable devices, and put in place measures to mitigate these risks. This can help prevent serious data breaches, such as those that have occurred due to lost or stolen USB drives, and ensure that companies are in compliance with data protection regulations.
The easiest way to prevent such breaches is to lock USB and peripheral ports at the same time. However, the usefulness of USB in the workplace cannot be denied. For companies, who still want to use USB drives, there are measures they can take to ensure security. Encryption is one of the best among them. All files transferred to USB drives will be encrypted, i.e. combined with a trusted device policy that allows only devices identified as “trusted” to connect to the company’s computers.
In today’s increasingly mobile work environment, employees often take their laptops and portable devices out of the office. Whether working remotely, visiting clients, or attending industry events, work devices often escape the security of corporate networks and become more vulnerable to both physical theft and unauthorized interference.
Encryption is always a good solution to protect against data theft. Whether it’s laptops, smartphones, or USB drives, encryption eliminates the possibility that anyone who steals them will be able to access the data. You can encrypt your connection using Virtual private network (VPN), secure sockets layer (SSL) or transport layer security (TLS) alongside database encryption. Enabling remote wipe options can also help organizations erase all data on stolen devices from a distance.
Having a VPN for Mac or Windows OS installed on your work devices makes it easier to prevent data breaches. Only the prime VPNs will encrypt data being sent on the network so that it cannot be intercepted by third parties. Encourage your employees to connect to a VPN anytime they’re connecting to a work network.
Ensure that each of your employees has their own proper role and permissions. Thus, keep in mind that an Administrator will have full control over all features on your site and databases, an Editor will be able to post and manage not only their own posts but also those of other writers, and an Author will only have the ability to manage their own publications.
So assign WP roles wisely, and remember: once your employees leave, don’t forget to delete all their accounts to block access.
If users have administrator access to your WordPress control panel, they can edit any files that are part of your WordPress installation. This also includes all plugins and themes.
If you disable file editing, no one will be able change any of the files – even if a hacker gains administrator access to your WordPress control panel. To do this, add the following to your wp-config.php file (at the very end):
define(‘DISALLOW_FILE_EDIT’, true);
In this point we have included everything that is connected with the scripts of your site, these are the scripts of WordPress itself, and your templates, and plugins (again), all of them initially should not contain malicious scripts and “holes”, i.e. all doors must be closed. If there is a vulnerability in the scripts, a hacker can use it to break into your media site, i.e. “enter through the door.”
In order to close the “doors,” or at least do that in time, you need to constantly update your WordPress site once the update is available. This also applies to templates and plugins.
Again, malicious scripts should not be there initially, so download WordPress only from the official site, do not use free templates, they may contain vulnerabilities, some shadow links, and stuff like that.
Remove unnecessary plugins. If you don’t have a plugin in use, deactivate it first and then delete it (plugin files that are just deactivated still remain on the server).
In other words, you should have complete order in your scripts, i.e. only have what you really need in current versions. Messy scripts will make your site more accessible to a hacker or insider.
Also, make sure that you are using quality WP themes, that is, updated by their creators.
A site blocking feature for failed login attempts can solve a huge problem of continuous password attempts. Whenever there’s a hacking attempt with repeated incorrect passwords, the site gets blocked, and you are notified of this unauthorized activity.
The iThemes Security plugin is one of the best plugins for this. We’ve used it ourselves for quite some time. The plugin has a lot to offer in this regard. Along with more than 30 other great security measures, you can specify a certain number of failed login attempts before the plugin blocks the attacker’s IP address.
Sucuri is one of the well-known leaders in the cybersecurity industry. It currently has over 400,000 active users, is free, and updated regularly.
Sucuri Security is not a one-size-fits-all security plugin. It focuses on basics like scanning and monitoring for malicious activity but does its job really well. The plugin comes with file integrity monitoring to see if any of the core files are affected or if there are any vulnerabilities. It’s one of the best solutions for small WP sites and blogs.
Sucuri also includes malware scanning and blacklist monitoring. The best feature of the plugin, though, is the post-hack security actions, which basically give you tips on what to do if your site is hacked or affected by malware.
Sucuri Pros
Sucuri Cons
Ekran System is building an insider threat management platform that is known for its intelligent incident alerting system and advanced monitoring tools for IT administrators.
A key advantage of Ekran is its versatility. The vendor’s solutions combine three main security tools: activity monitoring, access control, and user identification. The functionality is provided in a single all-in-one software platform that provides “lightweight” agents for all types of endpoints.
Monitoring and recording of user sessions in Ekran System is performed with an advanced screen recording module. This information is also supplemented with data on app names, visited URLs, opened files, entered commands, keyboard taps, connected devices, and other employee activity.
Ekran System is a unique platform that will help companies be confident in their data security.
Cybercrime is rapidly gaining momentum and due to the ongoing pandemic, there are even more criminals on the Web these days than in the real world. Credit card and bank fraud crimes are on the rise, hackers are spreading, and we need to protect our sites from credit card frauds with all the options we can use.
Although WordPress has some vulnerabilities when installed by default, you can solve almost any problem you have, including the security threats mentioned in this article. By setting a unique username and a strong password, installing a security plugin, using a high-quality DLP tool, and educating your employees, you can greatly reduce the risk of data leaks and your site being compromised or infected with malware.
Now, we’d like to say that to prevent the loss of important content on your WP media site, apart from all of the above, you must never forget about site backups. Thus, if your site is hacked, you can always quickly restore its normal operation and analyze the reasons for hacking to eliminate them and prevent similar situations in the future. By the way, some hosting companies do backups automatically.
If you have a site backup, you can restore your WordPress website to working condition at any time. There are several plugins that can help you in this regard.
If you’re looking for a premium solution, we recommend VaultPress from Automattic (now powered by Jetpack). We’ve set it up so that it backs up every week. And if something bad happens, we can easily restore the site in a single click.
We know that some large websites run backups every hour but that’s a complete overkill for most organizations. Not to mention, you’ll need to make sure that most of these backups are removed after a new one is created, since each backup file takes up disk space on your drive. Still, we would recommend weekly or monthly backups for most organizations.
In addition to backups, VaultPress also checks websites for malware and alerts you if anything suspicious occurs.