Home > Company News, Website Security, WordPress Tips and Tricks > Using the WordPress CMS for Your Small Business Website is a Double Edged Sword

Using the WordPress CMS for Your Small Business Website is a Double Edged Sword

WordPress has become one of the most prevalent content management systems (CMS) used to power small business websites. According to recent estimates, nearly 75 million sites around the world rely on the WordPress platform (ref 1). By using WordPress, a small business owner can quickly establish a virtual presence with little to no cost.

However, the very reasons that make WordPress so powerful, such as ease of use, minimal development costs and quick learning curve, have also created the situation where many small business owners are unknowingly exposing themselves to serious liability because of exploitable holes in the security of their websites. Like most other business solutions, WordPress is not a maintenance-free platform and ignoring basic website routines and protocols can cause very significant financial and non-financial consequences.

Most small business owners mistakenly believe that they are too small to ever be targeted by hackers. Or they believe that because their website isn’t doing ecommerce or storing sensitive customer data that they really don’t have to invest in any online security, do any routine maintenance or have any relationships with outside IT vendors that understand the WordPress platform and the ways to secure it.

Google, one of the most popular search engines in the world, quarantine’s approximately 10,000 websites a day via it’s Safe Browsing technology. In 2014 the total number of websites on the internet reached 1 billion, and the Security firm Sucuri approximates that 9 million of these are currently hacked or infected, or about 1% of all websites (ref 2). A recent security audit in 2015 scanned 750,000 unique domains and found that a staggering 20% all these sites had at least one vulnerability, including Web server and PHP issues (ref 3). This study highlights just how vulnerable many small business websites are. With more and more local and small business activities dependent on the internet and dependent on their clients finding them through search engines such as Google, the time for burying your head in the sand is over.

If you are a business owner that is running a WordPress site and you think that hackers would never target you because there is nothing of value on your website then this next section is for you.

In reality you are EXACTLY who hackers are targeting. Contrary to what you probably think you know about hacking a website and why someone would do that, the reasons no longer really have anything to do with you personally or your business. In fact what your business does is almost inconsequential. The early steps of hacking a website are almost fully automated. Computer programs created by hackers can scan thousands if not millions of websites and all the hackers are looking for are the websites that come back with potential vulnerabilities.

The second key ingredient is how small you are. The smaller you are the less likely you have anyone on staff that is dedicated to IT and the maintenance of the business website. That means if they are good at hacking and not being noticed, your site could be hacked and exploited for weeks or months. In fact a significant number of the people reading this article right now, own a website that has already been exposed and is sitting dormant until the hackers see just the right opportunity to strike. We have seen the initial backdoor be installed on a website but then left and not used until months later. We recently had a new customer come to us for an SEO project and we immediately found out that their site had been compromised. Their site was in the process of being “rented” out to other hackers in Russia through a very sophisticated encrypted backdoor that had been planted in the shadows of their website. This small town electrician might not have noticed for months had we not gotten involved for a completely unrelated issue and run some routine scans. It is very likely that this electrician site would have been used to try and inject ransomware onto the computers of the visitors to this website. So in essence the hackers would use this small business website as an attack vector by injecting malware or ransomware on anyone unlucky enough to be looking for electrician services. Or worse yet, use this site to launch attacks against other targets such as big banks or big name retail stores. As you can guess the liabilities against this electrician could mount quickly depending on how much damage was inflicted on other people and businesses.

A small town surveying company in northwestern Wisconsin recently had the misfortune of being on the receiving end of ransomware and the end result cost them a week in downtime and thousands of dollars (ref 4). A recent study on ransomware by the Internet Crime Complaint Center reported 2,275 ransomware complaints from June 1, 2014, to March 31, 2015, with losses totaling more than $1.1 million. About 30% of ransomware victims pay to regain their data according to Irving, Texas-based cybersecurity firm Trend Micro (ref 5).

It is really quite simple why small businesses are being targeted over larger businesses, a large company will have IT staff constantly monitoring their web assets and running routine scans. They can likely spot a breach in their online defenses within a few hours or days and quickly take the appropriate defensive counter-measures. Whereas you, the small business owner, will likely only be alerted to the hack when a customer calls you and asks you why they see an ISIS banner once they fill out your request for an appointment (ref 6). Or worse, Google finds the hack and removes you from their search index. Or you happen to do a search for your business name and you show up in the Google search results as a company that apparently now sells Viagra. So now you know you have been hacked but you are an electrician and know nothing about websites or computer code. You certainly aren’t going to be able to get this corrected in a few days once you find out about it. You probably don’t even know how to temporarily shut down your website to limit the damage and your exposure to liability.

And this is exactly why you were targeted.

At SlickRockWeb we are constantly monitoring for the announcements of new WordPress exploits and WordPress vulnerabilities on behalf of our clients and new alerts come out every few days. We perform routine updates for our customers and run periodic scans when we see suspicious activity. While there is no such thing as a hack-proof website (just ask the US Department of Defense), we are able to prevent a lot of attacks and are generally alerted within hours of a breach and can take immediate steps to prevent any damage to our client or any of their customers. We also educate our customers and their employees and help train them on the proper use of a company website and the basic dos and donts of online security.

We believe it will become more and more essential for business owners to leverage the expertise of small business IT consultants like that of SlickRockWeb. By tapping into the knowledge and services of a consultant with experience on the WordPress platform, owners can reduce the risk of data loss or data exploitation and greatly improve the odds of avoiding a hack or online security breach. Ultimately your “Brand”, that you have worked years if not decades on, is most at stake and can be potentially wiped out with one catastrophic data breach. Don’t wait to engage with a small business IT specialist like SlickRockWeb until after it has become too late and the damage to your company and “Brand” becomes permanent.

Company News, Website Security, WordPress Tips and Tricks

  1. Tim B.
    May 29, 2015 12:56 pm | #1

    Interesting article. I assume a lot of these same issues would apply to the Joomla CMS

  1. No trackbacks yet.