Cyberattacks are increasing everywhere and targeting small to mid-sized businesses. Recent threat reports show global cyberattacks increased by 38% in 2022. Attacks rose by 57% in the United States, 77% in the United Kingdom, and 26% in Singapore. Statista estimated the global online crime cost was around USD 8.4 trillion. That’s an increase of USD 3 trillion every year since 2020.
In 2023, the World Economic Forum (WEF) placed cybersecurity failure in its top five risks for the first time. The WEF’s annual Global Risks Report for 2022 notes an enormous 300% spike in state-sponsored cyber-attacks since 2020. The WEF even suggests that risk analysts have underestimated internet crime for its severity as a long-term threat.
It’s called spearfishing — and you’re the fish.
The FBI’s Internet Computer Crime Center (IC3) reported nearly USD 7 billion in US business losses from cybercrime in 2021. That’s a 64% increase from 2020. Most victims were small businesses. Half of all Canadian small businesses and more than half of American SMBs experienced cyberattacks in the last year, according to Verizon and the Canadian Federation of Independent Business (CFIB).
Forbes reports small business employees are experiencing 350% more social engineering attacks than larger companies.
These increasing attacks on SMBs intentionally target them with more sophisticated “spearfishing” campaigns. Spearfishing is a well-researched and informed social engineering approach to hacking and online fraud. Forbes reports small business employees are experiencing 350% more social engineering attacks than larger companies. Malware (22%) and phishing (20%) are taking the lead as the top two most common attack methods, according to UpCity. AI tools like ChatGPT also make it easier for criminals to research their targets and write convincing emails to trick employees into giving up sensitive information or installing malware.
Unfortunately, CNBC reports that despite being aggressively targeted, small businesses are less concerned about cybersecurity risks than larger companies. As a result, they invest significantly less in IT security. That’s unfortunate because the cost of prevention is always much, much lower than the total cost of a severe breach.
How much can a security breach cost your business?
In 2021, our friends at Patchstack found that the cost to clean a hacked WordPress site could be as high as USD 4,800. However, this only counts the direct remediation costs, such as hiring professionals to restore the site, remove malicious code, and harden security measures. The total cost of a compromised website can be much higher. Additional costs include lost business, incalculable damage to brand reputation, potential regulatory fines for data breaches, and the time spent resolving the issue. The larger the company, the higher the cost — typically thousands of dollars per employee and several million dollars per breach.
The total cost of a compromised website also includes lost business revenue, incalculable damage to brand reputation, potential regulatory fines for personal data breaches, and the time taken to make repairs.
Regarding ransomware, the cost of losing control of a website goes far beyond the lost daily revenue. In 2016, the New York Times reported how ransomware plagued a toy company, Rokenbok Education, during the previous holiday season. Cybercriminals infected Rokenbook’s database with malware. The attackers “encrypted company files” and demanded “a hefty ransom to unlock the data.” Rather than pay the ransom, Rokenbook rebuilt its whole system.
Previously Rokenbook had experienced a denial of service attack, which also took them offline for a while. While outages may be temporary, a few days of lost business can have a permanent cost when customers go elsewhere. In the same article, the Times reported how a denial of service attack took down the website for a large indoor skatepark on Staten Island. Many customers thought the business had closed permanently — a lasting, harmful misperception.
These are relatively mild examples of what can happen to a business in a cyberattack. In the past ten years, ransomware attacks have steadily increased. Dark web organizations offering ransomware-as-a-service have lowered the costs of this criminal enterprise. The risks for small-to-mid-sized businesses have only gone up.
Protect your WordPress website with a layered defense.
Business owners should take serious steps to avoid significant losses in a cyberattack. As a WordPress site owner, you should prioritize hardening your site’s defenses and securing your user accounts to prevent denial of service attacks, data breaches, and hacks. Maintaining software updates, especially for the plugins you use, and a sensible user security policy following the principle of the least privilege are the foundational layers of a solid, proactive defense.
WordPress websites are most at risk when vulnerable plugins and themes aren’t updated or replaced. Vulnerabilities emerge over time in all software, so maintenance is essential. There is a very high probability a WordPress site with 20-30 plugins will have at least one new vulnerability if no updates have been applied for as little as a month. An equally common source of hacked websites is insecure, poorly managed user accounts with weak, stolen, or recycled passwords.
Update your software and protect your users.
Keeping your plugins updated and your user accounts secure will dramatically reduce your risk. Criminals target vulnerable code and insecure user accounts. They commonly target both of these weak points together. For example, attackers can exploit many plugin vulnerabilities only if they also control a user account with a certain level of privileges. Denying them easy access to user accounts makes the former attack vector irrelevant. It would be best if you covered both vectors, of course. If you make sure your site is up to date and user-level security is high, it is doubtful you will experience a severe breach or hack.
Let’s look at both attack vectors and how to reduce, if not eliminate, their risks.
Sign up for the weekly WordPress Security News & Updates newsletter
Our weekly WordPress Vulnerability Report covers recent WordPress plugin, theme, and core vulnerabilities, and it explains what to do if you have a vulnerable plugin or theme on your website. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities are essential to keep the WordPress community safe.
Check daily for vulnerable plugins and themes.
As you can see in our weekly security reports, security researchers disclose many new WordPress plugin and theme vulnerabilities each week. We see a significant increase in the total number of vulnerabilities each year. 2023 is on track to set even higher records as more security researchers are working harder to secure WordPress software.
This is a good thing in the enormous WordPress space, which accounts for 43% of all websites and 64% of all CMS-driven sites. Open-source software relies on responsible disclosure to fix rather than hide bugs.
We know it can be challenging to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin lets you know if your site is running a theme, plugin, or version of WordPress core with a known vulnerability. It will also apply any available updates automatically if you activate this feature.
1. Activate iThemes Security Pro’s Site Scanner to Detect Vulnerabilities
The iThemes Security Pro plugin’s Site Check Scanner takes aim at the number one reason why WordPress sites get hacked: outdated plugins and themes with known vulnerabilities. If you activate Site Scan Scheduling and Version Management, iThemes Security Pro will search your site twice daily for known vulnerabilities and automatically apply new security updates.
To enable the Site Scan on new installs, navigate to the Site Check tab in the Features menu inside the iThemes Security Pro settings screen. Click the toggle on the Site Scan Scheduling card to enable the Site Scan feature.
To trigger a manual Site Scan at any time, click the Scan Now button on the Site Scan Security Dashboard card.
If iThemes Security Pro detects a vulnerability, click the “View” link for more details.
You will see a notice if an update to patch the vulnerability is available. If a patch is available, click the Update Plugin button to apply it to your website.
2. Activate iTheme Security Pro’s Version Management to Update Vulnerable Code
The Version Management feature in iThemes Security Pro integrates with the Site Check. It will automatically update your software to new versions if a known vulnerability exists and a patch is available. This is a good way to protect your site even if you miss noticing a security update. Even the most robust security measures will fail if you run vulnerable software on your website.
Navigate to the Site Check screen from the Settings page in iThemes Security Pro. Click open the Site Check tab. From here, use the toggle to enable Version Management for WordPress core, plugins, and themes.
Select the Auto Update If Fixes Vulnerability box so that iThemes Security Pro automatically updates a plugin or theme when a vulnerability is found.
3. Activate iThemes Security Pro’s Email Alerts
When iThemes Security Pro finds a known vulnerability on your site, it will send email alerts to Administrators or other users you specify if you activate notifications.
Once you’ve enabled Site Scan Scheduling and Version Management, head to the Notification Center settings of the plugin at Security > Settings > Notifications > Site Scan Results. On this screen, scroll to the Site Scan Results section.
Click the “Enabled” box to enable notification emails. Now you can select which users will receive notifications. Click the “Save All” button to enter your changes.
During scheduled site scans, the recipients you selected will get an email if iThemes Security Pro discovers known vulnerabilities. The email will look something like this in a Gmail inbox:
Important: You should never mute a vulnerability notification until you have confirmed your current version includes a security fix, or you’ve confirmed the vulnerability doesn’t affect your site.
Create and enforce a user-level security policy.
You can help your WordPress site users get off on the right foot with security when their accounts are first created. When you are building sites for others, especially if new user accounts will be frequently added, you should plan an appropriate user-level security policy in iThemes Security Pro.
Your security policy should answer questions like these:
- Will you require all users to log in with Two-Factor Authentication (2FA), or will you give them a choice of login methods?
- Will you trust recognized devices and allow them to log in with a regular password but require 2FA for logins from unrecognized devices?
- Will you make Passkeys an option for some users, like Administrators?
While keeping the login process convenient and simple for your users, iThemes Security Pro lets you increase user authentication security to an appropriate level for those with higher privileges. Cybercriminals phishing for weak user accounts or testing stolen passwords will not be able to break through 2FA, for example. And if your users have passkeys or use another passwordless login, there are no passwords to steal from them.
Here’s an example of a security policy you might implement with iThemes Security Pro to require stronger authentication methods for higher-privilege user roles:
- All Users:
- Require: Strong Passwords
- Require: Periodic Password Resets
- Optional: Two-Factor Authentication
- Optional: Passwordless Login
- Authors, Editors, and Administrators:
- Require: Two-Factor Authentication
You might activate other features, like Activity Logging, for back-end users as well. You may want to keep an eye on what they’re doing on the site since they have the ability to add and modify content or even change WordPress’s functionality. It’s your call — you can set up any security policies you want.
1. Activate Login Security Features
Turn on the login security features you wish to use in the Settings › Login Security section of iThemes Security Pro, as shown below. Once Two-Factor Authentication, Passwordless Login, and Passkeys are enabled, you can require or optionally allow designated users to use them.
2. Organize Users and Roles into Security Groups
WordPress organizes user accounts into a hierarchy of access role groups with different privileges. From administrators who control everything to subscribers, contributors, and authors who have limited commenting and posting privileges, iThemes Security Pro lets you sort your users into custom security groups you create. This way, you can establish the login security requirements (among other things) for one or more user groups or even specific individual users.
You can’t create new user roles in WordPress with iThemes Security Pro. What you can do is add any of the existing roles to security groups you create in iThemes Security Pro. This makes user security management easier for you and anyone else who maintains the site.
3. Enforce Login Security Rules for Specific Users and Groups
Now, under Security › User Groups › Your Custom Group, you can select the security requirments for users in this group. Here the “Test Group” has stricter password requirements than the default:
User Groups in iThemes Security Pro are a powerful tool for quickly grouping together any number of users or user groups and requiring them to adopt stronger security practices based on their roles and privileges. You can set up an effective site security management system and dashboard with iThemes Security Pro. This is incredibly useful for high value eCommerce, Membership, and Community sites with many users who often can create their own accounts.
Together with timely updates and vigilant checking for vulnerabilities, iThemes Security Pro’s user-level security controls will significantly reduce the risk of a breach by closing the two main attack vectors for WordPress websites: insecure plugins and insecure user accounts.
Security thinking is not a one-and-done activity.
The rising tide of cyberattacks, especially on small to mid-sized businesses, underscores the urgent need for adequate cybersecurity measures. As spearfishing and social engineering attacks become increasingly sophisticated, businesses must fortify their defenses or risk crippling losses. This is especially true for WordPress site owners, where a lack of maintenance and security thinking heightens the risk of attack. Outdated plugins, themes, and weak user account security practices ensure attackers have a constant supply of vulnerabilities to exploit.
Cybersecurity is no longer a luxury but a critical requirement for every business, large or small. In the form of layered defenses and hardened security, investing in prevention can save companies from the costs of a security breach and the potential loss of brand reputation and customer trust. Proactive defenses and site hardening tools like iThemes Security Pro will help you protect your site and users by raising the bar for user login security. By identifying potential vulnerabilities and applying timely updates, iThemes Security Pro will help you close the other major security risk factor as a WordPress site owner.
However, cybersecurity is not a one-off task that can be delegated entirely to software automation. It’s an ongoing commitment involving regular site checks and oversight for your users, especially those with higher access privileges. It requires establishing strong user-level security policies and informing your team about the latest threats.
Finally, businesses must remember that cybersecurity is a shared responsibility. We can mitigate the risks and protect our online spaces from cyber criminals with a collective and proactive approach.
Responsible Disclosure: Security the WordPress Way
You might be wondering why a vulnerability would be disclosed if it gives hackers an exploit to attack. Security researchers who find vulnerabilities generally report them privately to the owner of the vulnerable code and the software developers responsible for it.
But it won’t remain a secret for long, and it shouldn’t.
With responsible disclosure, the researcher’s initial report is made privately to the developers and the company responsible for the software on the understanding that the full details will be published once a patch has been made available. There may be a slight delay in disclosing the vulnerability for significant security vulnerabilities to give more people more time to apply the patch.
The security researcher may provide a deadline for the software developer to respond to the report or to provide a patch. If this deadline is not met, the researcher may publicly disclose the vulnerability to pressure the developer to issue a patch.
Publicly disclosing a vulnerability and seemingly introducing a Zero-Day vulnerability — a type of vulnerability that has no patch and is being exploited in the wild — may seem counterproductive. But, it is the only leverage a researcher has to pressure the developer to patch the vulnerability.
If a hacker were to discover the vulnerability, they could quietly use the exploit and cause damage to the end-user (this is you) while the software developer leaves the exposure unpatched. Google’s Project Zero has similar guidelines when it comes to disclosing vulnerabilities. They publish the full details of the vulnerability after 90 days, whether or not it has been patched.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.