Security Weekly

Consider yourself hacked

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 5

We now know why the hackers are after websites and how they are targeting them (if you missed this, check out the previous episodes).

You’ve probably also noticed that I’ve intentionally avoided giving the “use X for Y” recommendations and have not covered any defensive methods in the past 3 episodes.

This is because the most powerful thing you can do to keep your website (and your business) safe is to think about security in a correct way. You don’t wash yourself only when someone is saying you stink (I hope).. Same should also apply to security.

Peace of mind = False sense of security

People tend to search for “one-click” and “all-in-one” solutions for the problems which often feel too complex to understand or what feels inconvenient enough so they just want the problem to go way.

This is especially true in the WordPress ecosystem, where security has mostly been something that is dealt with only after a complete failure. This is why for more than a decade, the most popular security services have actually been incident response services instead (clean-ups).

The security companies should take some of the blame here. Even today, you can find security services that market “peace of mind”, “plug and play security”, and some even go as far as claiming to offer 100% security.

The truth is, as soon as people go for “peace of mind”, they’ll become the most vulnerable. It’s when you think that you’re secure, but don’t even care to check. The “peace of mind” is what mostly leads to a false sense of security.

Security is an ongoing process

Security is not that complicated and mysterious as it may look like. You don’t need to understand every technical aspect of how computers, servers and web technologies work.

However, you do need to know what are the things you, your website & business relies on. Once you know that, you can start mapping your attack surface and then set up defensive measures to keep it covered.

The things you rely on, constantly change, which is why security should never be approached with “set it and forget it” mindset. You can’t protect what you don’t know about.

Expect to become compromised

In the end, we’re all humans. Regardless of how hard you try, it’s pretty much inevitable not to miss something, make a mistake and maybe even get compromised. If you’ve already expected this to happen, and have a plan prepared, it will be much easier to recover.

Having a DRP (Disaster Recovery Plan) can also become extremely important in other situations. For example, when you’ve lost access yourself, or if people who originally held access are not around anymore.

Essentially, the idea is to write down a detailed step-by-step guide which should be followed as soon as there is an incident unfolding. It’s much easier to come up with a plan now, then try to do it under the high stress. It will save a lot of time, money and nerves.

Conclusion

Security is a process and not something you can have a “silver bullet” for. It’s about being proactive and keeping clear overview of what you rely on. Only then you’ll be able to know where security is needed.

Imagine that you’re already compromised. What was the weakest link?

Next week, let’s start mapping the attack surface!

Some more resources:

PS! As a reminder, if you wish to get those episodes directly on your email. Here's a newsletter we created just for that: http://subscribepage.io/patchstack

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 8

WordPress Security on Server Layer

Last week we talked about WordPress security on the network layer (with Cloudflare as an example). …

Week 7b

WordPress Security on the Network Layer

In the last post, we covered different layers of the WordPress attack surface. Security should always …

Week 6

How to map the WordPress attack surface?

Before you can start setting up any security measures, you should have a clear understanding where …