WordPress has become the go-to content management system for many of the Web's most prominent sites. Through the middle of 2013, WordPress powered almost 19 percent of the Web, having been downloaded more than 40 million times. By 2014, WordPress accounted for 22 percent of new domain registrations in the U.S. and was the CMS underpinning roughly half of the Technocrati Top 100 rankings. Sites such as Mashable, CNN and eBay depend upon WordPress to support articles, photos and videos that reach millions of viewers.
Risk and reward with self-hosted WordPress sites
Many individuals and businesses opt for the commercial WordPress.com. Its ecosystem of blogs and news sites actually gets more monthly traffic than Amazon.com, and it accounted for about 50 percent of all WordPress utilization at the start of 2014. Self-hosted sites that use technology from WordPress.org are similarly popular, greatly outnumbering rivals that are built upon Drupal or Joomla.
Going the self-hosted route with WordPress also has the advantage of being able to tap into the vast ecosystem of WordPress plug-ins, which provide rich functionality unattainable with a basic or midrange WordPress.com installation. However, self-hosting requires much closer attention to cybersecurity. In particular, working with WordPress plug-ins can invite security issues, as demonstrated by a recent vulnerability discovered in the popular Yoast search engine optimization plug-in.
WordPress SEO by Yoast may have as many as 14 million users, making it one of the most used WordPress plug-ins of all time. Accordingly, a zero-day flaw discovered in one of its versions this March put literally millions of self-hosted WordPress sites at risk of being remotely taken over by attackers.
Yoast's plug-in was vulnerable to SQL injection attacks, which involve sending malicious SQL statements to a database. If executed, these statements may reveal the database's contents to its attackers. In the case of sites running the WordPress SEO plug-in, such manipulation could have led to data leakage or allowed for the insertion of malware, spam or harmful hyperlinks into the back-end database.
"One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire website," explained Ryan Dewhurst, the discoverer of the flaw, according to ZDNet.
Yoast quickly patched the plug-in and WordPress.org's hosted services also forced through an automatic update for Yoast users due to the severity of the exploit.
Keeping technology updated is key
The incident highlights the importance of keeping technology up-to-date. For small and midsize businesses, staying on top of security issues, whether they affect WordPress plug-ins, productivity tools such as corporate email, or line of business applications, can often require more resources than they have available. Oftentimes, IT personnel is too busy to continuously monitor and maintain their entire technology stack.
For that reason, businesses without dedicated resources available have begun outsourcing maintenance and performance monitoring to dedicated managed service providers, allowing their IT personnel to focus on more business-critical functions.
Companies are also leveraging the cloud to help keep their business applications updated. Many cloud-based solutions such as Office 365, Dropbox, Adobe Creative Cloud, are automatically updated with little-to-no involvement necessary from an IT department.
Pinnacle, an Advanced Imaging Solutions Company, can help businesses keep their systems and applications updated by providing managed IT and cloud solutions. Pinnacle has dedicated support engineers that actively monitor and update systems, installing patches and firmware when needed; and also provides cloud computing solutions that help businesses stay competitive. Organizations looking to get the most out of their technology should consider a custom hybrid solution including both cloud and managed services.
For more information about cloud or managed services from Pinnacle, contact us today.