It’s no surprise to anyone who works in security that there’s been an explosion in ransomware incidents over the last two years, costing companies across various industries millions of dollars. According to a recent report from the Institute for Security and Technology, ransomware attacks cost businesses 21 days of downtime, on average.
There are analysts around the globe who are continually being jolted awake in the middle of the night to respond to ransomware attacks. Because WordPress is the market share leader (39.5% of all websites are powered by WordPress; that number jumps to 64.1% for content management systems), my team of SOC analysts aren’t strangers to responding to WordPress security issues. The one lesson we’ve learned time and time again: Preventative security measures are the most effective steps you can take against ransomware attacks.
For businesses currently on the WordPress platform, we’ve put together five easy-to-follow tips:
The selection and installation of WordPress plugins should come with the same third-party risk assessment measures (as should any other technology solution you plan to use). It’s important to look beyond the capabilities of the plugin and properly research its developer:
Making sure all plugins on your website are properly vetted and consistently updated minimizes your site’s vulnerabilities.
An effective security plugin will validate website configurations and provide added levels of protection but having a WordPress hardening guide in place lays the foundation for security best practices. Your hardening guide should serve as a playbook for maintaining and updating your website’s security measures, with information on everything from user administration rules to guides on installing multi-factor authority plugins or changing WordPress URLs.
It’s important that the person who manages your WordPress also owns the hardening guide, making sure the steps laid out in the guide are implemented, and that the security or IT team performs regular audits.
In addition to a WordPress hardening guide, publishing a Content Security Policy (CSP) adds an extra layer of protection by establishing a protocol for the JavaScript that can run on a webpage, along with how functionality works across the website. It helps prevent cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks and should be as restrictive as possible. CSPs don’t need to be revisited unless your development team adds new features that may be blocked by the existing policy.
A good example of an effective CSP solution is SELinux: Once you make sure the application you’re running clears all security checks, you can enable it and only revisit your CSP if a webpage’s functionality changes.
Typically, development and staging instances are kept behind a portal or attached to an obfuscated URL, but mistakes happen. Adding password protections to your staging and development environments ensures they remain locked down and safe from bad actors looking to cause harm, or even innocent admin users who may unknowingly exploit a vulnerability within your WordPress platform.
An IR tabletop exercise simulating a ransomware attack where your WordPress site is the entry point allows your security team to walk through the necessary actions should an incident happen, and ensures you have answers to crucial questions. For example, who’s the contact if you need to engage a third-party site administrator? How quickly can they respond? An IR tabletop exercise answers these questions and allows your security team to train “muscles” they hopefully won’t need to use often.
These five tips are all centered on preventative measures to safeguard your WordPress website. Unfortunately, even the most secure websites that follow all the rules can fall victim to attackers. Should this happen to you, remember that an incident isn’t resolved until these two questions are answered:
1. How did the ransomware impact your business?
2. How did it enter your website?
Until you have answers to these two questions and can tell a clear and concise story about what happened, your ransomware attack will remain an open case.