WordPress is an open-source content management system (CMS) that is used to power millions of websites, web applications and blogs. It currently powers more than 31% of the top 10 million websites on the internet. Its usability, extensibility and mature development community make it a popular choice for charities and civil society organisations. In fact, 44% of NGOs worldwide use WordPress according to the 2018 Global NGO Technology Report.
Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats. However, websites powered by WordPress are far from immune to attack. This does not imply that WordPress is inherently insecure; often, the compromises have little, if anything, to do with WordPress itself. Common routes for hacking a WordPress website include through:
- Vulnerabilities on hosting platforms
- Security issues in WordPress themes
- Security issues in WordPress plugins
- Weak or reused passwords
- Phishing of users, particularly administrators
- Out-of-date WordPress installations
Most websites are hacked simply because they can be. Hackers use automated scripts to find known vulnerabilities and hack numerous sites at once. Once they are in control of your website, the hacker can use it to infect your visitors’ devices with malware or redirect them to another site or use your system resources to send out spam emails or carry out brute force attacks, for example. However, human rights defenders, independent media and advocacy groups also face the threat of targeted attacks by government, corporate or criminal interests intent on taking down or sabotaging your website in order to silence or embarrass you or learn more about your activities and the people you work with. Whatever the motivation of the threat actor, an attack may leave your organisation facing among other things:
- Exposure of personal information of supporters
- Fine from the information regulator
- Website taken offline
- Campaigns and other activities undermined
- Financial cost of recovery
- Reputational damage
- Website spam blacklisted
Our highly-experienced WordPress security consultants can carry out a WordPress vulnerability assessment to identify security issues with your server set up and WordPress installation. We differ from most providers, though, as we not only understand the most common vulnerabilities, but our deep knowledge of NGO digital security means that we can help secure your website against targeted attacks as far as is feasible. Once we have identified and reported to you the vulnerabilities that we have found, we can work with your technical staff and our trusted partners in order to implement the agreed recommendations in line with security best practices. This will leave you with:
- Updated WordPress core, themes and plugins as required
- Hardened WordPress installation
- Secure login, including two-factor authentication
- Backup and recovery solution
- SSL and redirect to HTTPS
- DDoS protection and a web application firewall
- Malware detection
- Server recommendations
- And much more!
Please contact us to arrange your WordPress vulnerability assessment and hardening.