Insider Threat and Data Loss Prevention. Guide for Big Media Websites on WordPress

April 12, 2021
Yuliia Pavelko

WordPress is one of the most popular content management systems, and for a good reason. It’s easy to use, can be used with thousands of available themes and plugins, and you can create any type of website with it. No wonder WordPress supports 40.5% of all websites on the Web.

But this popularity comes with a price. WordPress is often attacked by hackers and insiders. Thus, if an employee, who recently filed for retirement, starts copying large amounts of data from the company’s network to his USB drive, there may be, in fact, no planned malice. Maybe that person just needs to save some useful information files needed for the next job. Unfortunately, situations when a resigning employee shares confidential product information, important legal data, personal employee data, or trade secrets competitors are also quite popular.

Some companies may struggle to even detect such insider risks, let alone differentiating between routine employee behavior and anomalies that threaten competitive advantage or the company’s reputation.

Today we’ll take a look at how you can significantly reduce the likelihood of data leaks from your WP media site and prevent insider threats. Note that some plugins like AI chatbots store the data outside of your WP site and are not at risk.

Discover how to publish in seconds, not hours

Sign up now to get exclusive access to Wordable, along with and find out how to upload, format, and optimize content in seconds, not hours.

About Insider Threats

You’ve probably heard about that story with the WPML WordPress plugin when in 2019 a former employee used an old SSH password to gain access to a genuine WPML address and sent a concerning email about “security holes” to all users of the plugin. However, there were in fact no “holes” or any vulnerability at all. That was nothing but a typical insider threat from an unhappy employee.

Insider threats happen more often than you might think. According to a recent poll, 55% of respondents stated that their organization had suffered an insider attack in 2020. Insiders are involved in slightly less than a third of all cybercrimes. The PwC survey found that service providers, regular employees, and contractors are all responsible for a huge number of security breaches. A third of executives reported that web attacks committed by trusted (trained) insiders resulted in huge losses (both financial and reputational) for their company.

Insider threats are tough to protect from. It takes a certain level of trust for employees to do their job. If they decide to misuse that trust, there isn’t much that the owner can do until the damage is actually done. But there are a few ways that security-conscious business owners can take to reduce the risk of insider threats to their WordPress media sites.

What is Site Protection

Site protection is a complex process, therefore, you have to apply as many methods of protection as possible. We’d say, you even need to be a little paranoid in this regard. In other words, if you apply 1 or 2 methods, it will, of course, improve the situation but only slightly. More than that – even if you apply absolutely all methods, it will not fully protect your site from hacking, although it will significantly reduce the likelihood of a hack attack. Which is what you need.

Here is a nice hack example that reflects the whole essence of protection. Hacking is when something gets hacked (duh) or broken, i.e., there is something to break. Otherwise, i.e. when there’s nothing to break, it’s no longer a hack.

If, say, you left your apartment door open or left the keys in it and got robbed, then your apartment wasn’t really cracked – they just entered it, took what they needed, and left. The same goes for a website – if you haven’t taken any measures to secure your site, then, if something goes wrong with it, it won’t be a hack. Therefore, to make it harder for intruders or insiders to break in or steal your data, you should at least “lock the doors.”

Employee Education and Social Engineering

Your employees have to be acknowledged regarding their privacy, i.e. they have to know basic security rules to prevent any data leaks. Thus, you have to at least forbid them to share their passwords or any authentication credentials, even if it seems convenient to them.

While anti-malware and anti-virus software can help identify such malicious emails, social engineering is best dealt with through employee education.

Social engineering, in the context of information security, is the psychological manipulation of people to take certain actions or disclose confidential information.

Employees should be educated on how they may be approached by outside intruders and how they should respond to various suspicious requests. Understanding social engineering is necessary to prevent it. Employees should also be tested to identify any potential weaknesses among your staff.

Your company teams also have to avoid using suspicious WP themes and always try to minimize the number of plugins they use.

Minimize Your WP Plugins

At the moment there’s a huge number of different WP plugins that solve almost any problem.

But the more plugins installed on your media site, the greater its vulnerability. Why? Check out the following reasons:

  • WP plugins can be written by an unqualified developer and contain critical bugs that affect site security;
  • WP plugins can be “abandoned” by the programmer, i.e. left obsolete for a long time, making them less secure. Plugins, as well as the engine, must be regularly updated to reduce the risk of vulnerabilities;
  • WP plugins can conflict with each other, causing errors.

Say, you need a feedback form on your site – instead of putting 2-3 plugins or some ContactForm 7, you can create the form “manually.”

Of course, there are plugins that you simply can’t do without – the advice is not to completely abandon them but to choose only time-tested solutions, and if possible, do without them.

Prevent External Data Sharing

Unfortunately, employee education can be insufficient. Sharing confidential employee data publicly or with third parties outside the company can be disastrous. This usually happens inadvertently, e.g. they can use the “Reply All” button instead of the regular “Reply”. Then the information is sent to the wrong email addresses or something is inadvertently publicly disclosed.

You can’t prevent such incidents by education because they are just human errors to which we are all subject. Custom software, e.g. Data Loss Prevention (DLP) tools, can help organizations keep track of sensitive data and ensure that its transmission, whether via email or other Internet services, is restricted or blocked entirely.

Prevent Shadow IT Threat

Unauthorized third-party software, apps, or web services are often difficult for IT to track, hence the “shadow IT” term. The reasons for shadow IT’s prevalence are quite simple: employees use popular apps (such as email tracking) due to habit because they increase their efficiency and reduce workload or are more user-friendly than company-approved alternatives.

This can become quite problematic because companies are unaware most of the time, essentially creating a blind spot in cybersecurity strategies. Another threat is the low-security level of these third-party services, which can lead to data leaks.

Shadow IT usually results from a company’s inability to provide employees with the tools they need to do their jobs. Organizations should have an open dialogue with their employees to understand their technology needs and do what they can to meet them. High-quality DLP tools can also help companies prevent employees from uploading sensitive information to these unauthorized services and, by monitoring these attempts, better understand shadow IT in their organization.

Here’s a list of reliable DLP tools and services you can use to protect your company data:

SecureTrust

McAfee

Endpoint Protector

Symantec

Solarwinds

Check Point

Trend Micro

Avanan

Zscaler

Use Separate Accounts for Employees

No shared accounts. Every staff member of your team needs their own user account for everything. If, of course, they need them at all. The point is that nobody can use their old passwords once they’re no longer in the team.

In other words, you have to make sure that no ex-employees will be able to access their old account and steal your company data.

Use Complex Passwords

We have already given the analogy (there must be a lock on your doors). If your password is simple, there is no lock in this case, or, more precisely, intruders have the key. Therefore, we highly recommend using strong passwords and, ideally, store them in your head only. Don’t forget to periodically change your passwords everywhere, especially if your WP site has already been hacked before.

This refers to complex passwords for access to your administrative panel, hosting control, personal account, database, etc. In other words, your passwords must be necessarily complex.

A complex password has at least 8 characters, which have to be numbers, capitals, regular letters, and, of course, special symbols.

If you run a WordPress blog, or rather a blog with multiple authors, you need to deal with multiple individuals accessing your admin panel. This can make your site more vulnerable to security threats.

You can use plugins like Password Protect WordPress (PPWP) if you want to make sure all the passwords users create are secure. It’s just a precaution but it’s better than having multiple users with weak passwords.

Remember, always use complex passwords, both for the site and for anything else where a password is required, since a simple password, such as one consisting of 3-4 digits, can even be manually picked in a couple of minutes.

Use Encryption and Remote Wipe Tools

Many data protection policies focus on transferring data outside the corporate network over the Internet, without considering another commonly used method: portable devices. USB drives in particular have long been toxic to data protection strategies. They’re easy to lose or steal but so easy to use. However, you should know that USB drives led to serious data breaches in many companies.

The easiest way to prevent such breaches is to lock USB and peripheral ports at the same time. However, the usefulness of USB in the workplace cannot be denied. For companies, who still want to use USB drives, there are measures they can take to ensure security. Encryption is one of the best among them. All files transferred to USB drives will be encrypted, i.e. combined with a trusted device policy that allows only devices identified as “trusted” to connect to the company’s computers.

In today’s increasingly mobile work environment, employees often take their laptops and portable devices out of the office. Whether working remotely, visiting clients, or attending industry events, work devices often escape the security of corporate networks and become more vulnerable to both physical theft and unauthorized interference.

Encryption is always a good solution to protect against data theft. Whether it’s laptops, smartphones, or USB drives, encryption eliminates the possibility that anyone who steals them will be able to access the data. Enabling remote wipe options can also help organizations erase all data on stolen devices from a distance.

Assign WP Roles and Permits

Ensure that each of your employees has their own proper role and permissions. Thus, keep in mind that an Administrator will have full control over all features on your site and databases, an Editor will be able to post and manage not only their own posts but also those of other writers, and an Author will only have the ability to manage their own publications.

So assign WP roles wisely, and remember: once your employees leave, don’t forget to delete all their accounts to block access.

Restrict File Editing

If users have administrator access to your WordPress control panel, they can edit any files that are part of your WordPress installation. This also includes all plugins and themes.

If you disable file editing, no one will be able change any of the files – even if a hacker gains administrator access to your WordPress control panel. To do this, add the following to your wp-config.php file (at the very end):

define(‘DISALLOW_FILE_EDIT’, true);

Keep Your WordPress Updated

In this point we have included everything that is connected with the scripts of your site, these are the scripts of WordPress itself, and your templates, and plugins (again), all of them initially should not contain malicious scripts and “holes”, i.e. all doors must be closed. If there is a vulnerability in the scripts, a hacker can use it to break into your media site, i.e. “enter through the door.”

In order to close the “doors,” or at least do that in time, you need to constantly update your WordPress site once the update is available. This also applies to templates and plugins.

Again, malicious scripts should not be there initially, so download WordPress only from the official site, do not use free templates, they may contain vulnerabilities, some shadow links, and stuff like that.

Remove unnecessary plugins. If you don’t have a plugin in use, deactivate it first and then delete it (plugin files that are just deactivated still remain on the server).

In other words, you should have complete order in your scripts, i.e. only have what you really need in current versions. Messy scripts will make your site more accessible to a hacker or insider.

Also, make sure that you are using quality WP themes, that is, updated by their creators.

Site Blocking and User Ban

A site blocking feature for failed login attempts can solve a huge problem of continuous password attempts. Whenever there’s a hacking attempt with repeated incorrect passwords, the site gets blocked, and you are notified of this unauthorized activity.

The iThemes Security plugin is one of the best plugins for this. We’ve used it ourselves for quite some time. The plugin has a lot to offer in this regard. Along with more than 30 other great security measures, you can specify a certain number of failed login attempts before the plugin blocks the attacker’s IP address.

Sucuri Security

Sucuri is one of the well-known leaders in the cybersecurity industry. It currently has over 400,000 active users, is free, and updated regularly.

Sucuri Security is not a one-size-fits-all security plugin. It focuses on basics like scanning and monitoring for malicious activity but does its job really well. The plugin comes with file integrity monitoring to see if any of the core files are affected or if there are any vulnerabilities. It’s one of the best solutions for small WP sites and blogs.

Sucuri also includes malware scanning and blacklist monitoring. The best feature of the plugin, though, is the post-hack security actions, which basically give you tips on what to do if your site is hacked or affected by malware.

Sucuri Pros

  • Designed by a reliable company and updated regularly;
  • Effective malware scanning tool that detects unusual site activity;
  • Security alerts and audit will notify you of any unusual behavior on the site;
  • Ability to monitor file integrity.

Sucuri Cons

  • Site firewall is only included in the premium plan;
  • Interface seems a little outdated;
  • Not suitable for beginners.

Ekran System

Ekran System is building an insider threat management platform that is known for its intelligent incident alerting system and advanced monitoring tools for IT administrators.

A key advantage of Ekran is its versatility. The vendor’s solutions combine three main security tools: activity monitoring, access control, and user identification. The functionality is provided in a single all-in-one software platform that provides “lightweight” agents for all types of endpoints.

Monitoring and recording of user sessions in Ekran System is performed with an advanced screen recording module. This information is also supplemented with data on app names, visited URLs, opened files, entered commands, keyboard taps, connected devices, and other employee activity.

Ekran System is a unique platform that will help companies be confident in their data security.

Conclusion

Cybercrime is rapidly gaining momentum and due to the ongoing pandemic, there are even more criminals on the Web these days than in the real world. Credit card and bank fraud crimes are on the rise, hackers are spreading, and we need to protect our sites with all the options we can use.

Although WordPress has some vulnerabilities when installed by default, you can solve almost any problem you have, including the security threats mentioned in this article. By setting a unique username and a strong password, installing a security plugin, using a high-quality DLP tool, and educating your employees, you can greatly reduce the risk of data leaks and your site being compromised or infected with malware.

Now, we’d like to say that to prevent the loss of important content on your WP media site, apart from all of the above, you must never forget about site backups. Thus, if your site is hacked, you can always quickly restore its normal operation and analyze the reasons for hacking to eliminate them and prevent similar situations in the future. By the way, some hosting companies do backups automatically.

If you have a site backup, you can restore your WordPress website to working condition at any time. There are several plugins that can help you in this regard.

If you’re looking for a premium solution, we recommend VaultPress from Automattic (now powered by Jetpack). We’ve set it up so that it backs up every week. And if something bad happens, we can easily restore the site in a single click.

We know that some large websites run backups every hour but that’s a complete overkill for most organizations. Not to mention, you’ll need to make sure that most of these backups are removed after a new one is created, since each backup file takes up disk space on your drive. Still, we would recommend weekly or monthly backups for most organizations.

In addition to backups, VaultPress also checks websites for malware and alerts you if anything suspicious occurs.

Yuliia Pavelko
Yuliia Pavelko is the Senior Content Manager at the company Marketbusiness.com and has more than 20 successful projects. She collaborates with famous bloggers, authors of sites like Entrepreneur and others. Yuliia is free-spirited, and thanks to her creativity, she's only prospered.

About the Author

Yuliia Pavelko
Yuliia Pavelko is the Senior Content Manager at the company Marketbusiness.com and has more than 20 successful projects. She collaborates with famous bloggers, authors of sites like Entrepreneur and others. Yuliia is free-spirited, and thanks to her creativity, she's only prospered.