The ease of getting started and low time to live that WordPress offers does have some downsides. It lulls us into a false sense of security. We’re so excited to get some blog post on our new website that we often overlook simple precautionary measures that make WordPress much more secure.
For many years, as a security conscious web host, we’ve preached:
- Regularly update WordPress. WP users should still regularly check they’re up to date with particular focus on the plugins. Our Softaculous WordPress installer also sends customers an email alert when an update is available
- Use a hard to guess username/password (i.e. non-dictionary word)
And thankfully, we’ve seen our clients and users take these points seriously and practice better security.
But we’ve started to see a new trend in security incidents. We’ll call this the Starbucks Effect.
The Starbucks Effect
The Starbucks Effect is when you take your laptop/iPad/Android tablet (yes, Microsoft Surface too) to Starbucks, McDonalds or any other venue with free public wifi. Nothing beats writing that blog post while enjoying a cup of not-much-tax-paid coffee or a juicy Big Mac. You immediately hop on to the WordPress admin area, you login with your secure username and password and write about your lunch. You probably take a photo of it on Instagram.
However, you have probably just made one fatal flaw. In an effort to login as quickly as possible, you may well have logged in via the regular http:// connection with no encryption, no SSL security and have submitted your non-standard username and hard-to-guess password as plain text over public wifi. Ouch! There could be some less than honest individual parked in their van just behind Starbucks and sniffing all of the network traffic going through the free public wifi. It isn’t that hard to do and many applications offer easy ‘network monitoring’. This less than scrupulous individual more than likely knows that obtaining bank/credit card data over this connection is difficult. Online banking forces https:// connections as do most major ecommerce stores when taking card payments.
WordPress, however, is different.
By default, WordPress does not enforce https:// connections. You can login with zero security and immediately present your username/password to the hacker sniffing the network connection. Any other security measures you’ve taken (hard to guess passwords, regular updates, security plugins) are circumvented as the hacker now has your main username and password.
And WordPress is attractive. It powers over 50% of the websites online. Any would-be hacker knows this, and also knows the above. We believe that hackers sniff network traffic specifically looking for WordPress credentials passed over unsecured wifi connections.
And we believe this because we’re seeing this more and more. Customers of ours get in touch saying their WordPress has been hacked. Their site has been defaced. It may have been deleted, or the hacker more than likely injected with some adult / inappropriate material. This could be affiliate links for them to earn some money, it could be do-follow links for them to try and boost the ranking of another website. We’ve seen a lot of different scenarios.
Understandably, our client is frustrated as they’ve practiced good security. They ask if it is a server issue. It isn’t, our servers are locked down Fort Knox tight. The logs show that the hacker got in using the blog admin credentials but the client claims they are secure and haven’t been released to anyone.
So we did a very simple test.
We started asking affected customers if they had logged in from a public wifi hotspot within the past few weeks. We asked if this security incident occurred since they had. We then asked if they had logged in via a secure SSL https:// connection.
The overwhelming consensus was yes, they had logged in from a public wifi hotspot. Yes, the security incident happened after they had. And no, they had not logged in using any type of encrypted connection.
You can guess what I’m going to say next.
Use the secure SSL https:// connection when accessing wp-admin.
You can use a self-signed SSL certificate for free. It will display a browser warning the first time you do this but it is still secure, and you can trust this connection in Firefox. Alternatively, you can buy a cheap SSL certificate for under $10 per year; a small price to pay when any would be hacker could delete years worth of work with your admin login.
As a host, we can help you force https:// connections to your wp-admin via .htaccess rules to help you remember to always use the secure connection with a self-signed certificate or a paid certificate.