WordPress is the biggest platform used for websites globally, with its constantly evolving updates, thousands of plugins and theme development, websites can be made to look stunning using this software. WordPress is open source – allowing developers to collaborate, modify and build for it, and therefore security should be taken very seriously, from less scrupulous coders i.e. hackers.
We hear about cyber security all the time - do we really need to take it seriously?
In a word, yes.
On Monday, there was a WordPress Brute Force attack campaign, meaning hackers tried to access thousands of websites across the globe. It was seen as the biggest attack since 2012 by WordPress security experts Wordfence. At one point over 14 million attacks per hour were recorded. Just because these sites were attacked, it doesn’t mean they were breached – if they had good security in place, the majority of the attacks would either fail or be easily dealt with.
Regardless of the platform every website on the internet could be a potential target of hacking, whether it’s spreading viruses, malware or cyber theft. A favourite for cyber criminals is holding a website to ransom by effectively taking it over. This act, commonly known among other names as crypto-locking, means the website owner has to pay a large amount of money to have their website and all its data unlocked, and returned to normal. The money is more often than not virtual currency such as Bitcoins, and is almost impossible to trace.
It can happen to veterinary practice websites!
And it has; at Vet Help Direct we know of at least four practices this has happened to. In every case the ransom was for Bitcoins, and in one case the practice had no choice but to pay.
What steps can we take to help secure the website?
Practice websites can be made more secure by taking some simple steps or asking your web developer to help. The steps below cover all website platforms, including WordPress.
1. Make sure a firewall is installed on your website to block such attacks intelligently – Wordfence is a firewall for WordPress and has a free robust version.
2. Ensure that passwords are strong! The longer the better, with different characters. A good way of remembering a password is to use a story e.g I’m_anA1VetSurge0n (don’t use this example!)
3. Change your username – the most commonly hacked username is ‘admin’ ensure you change it to something more memorable.
4. Do you have users still listed on the website that have left the practice? If so delete them off the system, as this cuts down the number of logins available on the site.
5. Strongly consider two-factor authentication for admins of the website – it may mean logging in for them is more difficult, but that means it is for hackers too!
6. In WordPress you can also use a plugin such as Wordfence to monitor login attempts, it means if someone tries unsuccessfully log in (for three times as an example), they are locked out until you either reset their password or block them completely.
7. Never reuse a password on multiple services. It means if your password is data breached on one service, it won’t be the same for others, so helps secure other services you use. E.g. keeping your website and Facebook passwords different.
8. With so many passwords to remember, password managers such as 1password and Lastpass are worth considering.
9. Ensure that your hosting provider makes security back-ups of your website. All Vet Help Direct hosted sites come with security AND back-ups, which means even if there is a problem, the site can be rolled back up to 30 days, while the issue is sorted.
10. Finally make sure the software version of the platform is up to date – security breaches can happen when the platform is old and not patched properly. At the time of writing for example, WordPress should be version 4.9.1 (released at the end of November).
In summary website breaches do happen, but with common sense and security measures in situ, your practice website will be a good place for clients (and potential clients) to visit safely.