3

Content Management Systems (CMS) may not be the most interesting topic on the tech table, but oh boy does WordPress liven things up in this sector. Not, it has to be said, always in a good way. I've lost count of the number of WordPress vulnerability stories that I've read over this last 12 months, and have even written a few myself. of course, more often than not it isn't WordPress itself that is the problem but one of the gazillion plug-ins that are out there and being used to customize it and add functionality. There was the SoakSoak malware linked to the RevSlider plug-in a couple of months back, and that's just the tip of the iceberg.

Now a new survey of more than 500 WordPress users by CodeGuard (http://www.CodeGuard.com) has revealed how they are just making things worse by not being properly educated regarding backing up their sites or updating software. According to the survey while 54% do update WordPress somewhere between once a week and every few weeks there were 21% who backed up only occasionally. Some 24% used a website backup plugin, but only 23% have any real training in the use of these tools while 47% had either none or very little idea of how to use WordPress.

Maybe that's not too surprising as the survey also showed that WordPress users are attracted by ease of use and tend to veer towards the less technically competent end of the spectrum. In fact, 44% of those surveyed did not have a website or IT manager. This could explain why 69% saw a plugin fail after an update (with 24% experiencing this multiple times) and 63% admitting to deleting files which had not been backed up. It's also not surprising then that we read about so many problems caused by the use of plug-ins with vulnerabilities I guess. What is surprising, however, is that 24% of those surveyed said that their WordPress site was their livelihood.

Clearly there is a disconnect between expectation and reality here, if three quarters of people using WordPress are not even backing up their content yet are relying upon that content to drive their income. There's also a disconnect between ease of use and understanding how important security is, and that means updating not only WordPress itself but also the plug-ins that you use whenever a patch is made available. Education has to be the key, as with so many of the security problems we face today, what with nearly a quarter of all websites using WordPress at the backend according to market data and being 24% more likely to be attacked than sites powered by other CMS platforms.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2
Contributors
2
Replies
18
Views
2 Years
Discussion Span
Last Post by happygeek
3

Not surprising really I suppose. If you liken a website to a car. An owner may depend upon the car to deliver his/her business but have no knowledge whatsoever with regard to maintaining it properly.

Wordpress, to the mind of many promises to be the one-stop shop for their web presence - and possibly interface to an online store / service. Mst of these plugins are based on PHP and your average Joe will have absolutely no idea what's going on with it if they poke into the code. Just like opening the bonnet of the car and seeing this tube goes from here to there and there's some wires going into this or that nondescript black box. Not a clue. Don't care. As long as it works (for now). We open the car manual and see a schematic. Bugger that, my nose is bleeding. Call my mate down the road or better still watch a YouTube video with regard to how to change the battery (as in use a plug-in). Yay! It works! Two weeks later the car stalls and splutters and dies. It wasn't the battery after all - it was the alternator. Crap. Now a bill for £300 and three days of lost deliveries. Business gets a bad name and we blame the car manufacturer. We blame the YouTube vid. We blame the guy down the road. We blame everybody else. So happens the plug-in has a vulnerability and the SQL injections to your DB take the site down and you lose all your non-backed up data.

Human nature? Wordpress = free. Plugins = free (usually). Free = no liability, tough tit (usually). Any wingnut can write a plug-in.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.