A Simple Security Measure that is Overlooked
“My message for companies that think they haven’t been attacked is: “You’re not looking hard enough”. [Deputy Director, UK Office for Cyber Security]
This is something I discovered while restoring a hacked site for a school. Although I don’t believe this was the cause for the malware that I cleaned out, it is a door that was left wide open for an unauthorized individual to have access to the website.
In checking the Users for this site, I noticed that there were 28 Users who had access to this particular WordPress website. Now I can understand the number of users, as teachers, administrators, and staff all had responsibility for updating their portion of the website.
In reviewing their website, I came across two major security issues:
- Too many administrators
- Users who left the school were not deleted
1. Full Administrator Access
The current administrator for this website did not build this website but was handed the keys when the schools’ tech/media officer left.
As more users were required to update and edit their portion of the website, the administrator gave every new user an Administrator Role.
In reality, the majority of users only required to fill an Editor or Contributor role.
There were too many cooks in the kitchen with full access to the website, what a scary thought!
In addition, no one was ever trained to use WordPress.
One user told me that his training consisted of “Just log in and play around till you find your page, then it’s like using Microsoft Word.”
He learned on his own by watching Youtube videos.
If anyone navigated to the wrong section of the website, one simple click on the mouse could delete a post, page, plugin, theme or worst yet take down the website.
Amazing, I wonder how many thousands of WordPress sites exist in the same scenario today?
For more info on User Roles
Two Users were assigned as Administrators, the remaining Users were reassigned to an Editor or Contributor Role.
2. Users who left the school were not deleted
Currently, the employee termination checklist did not include provisions to remove users from the school’s website access. So it never occurred to the school to expedite this key security process.
Luckily none of the former employees ever caused a problem once they left.
The thought of having a former employee still having login access to your website at anytime or any place is another scary thought.
To immediately correct this situation, the Administrator gave me a short list of Users who are no longer employed with the school, and I deleted their accounts to close this door.
I recommended that the school add this action to their employee checkout procedures for future employee terminations.
These security actions not only apply to WordPress, but all website logins.
Whether it be a CMS such as Joomla, Drupal, your hosting CPanel, FTP accounts, or even online website builders like SquareSpace and Wix.
If you have multiple users, be sure to delete anyone who leaves your organization.
It is better to be safe then sorry later.
WordPress is basically a secure platform.
People are the problem, they allow their websites to be compromised because they fail to be cautious of what they install (plugins, themes), hold off on performing updates, allow excessive users with Full Admin privileges, use simple passwords because they are lazy, etc..