I’ve been in the self-storage industry for 15-plus years, with a core focus on marketing, technology and Web-app development. After working directly for two of the industry's largest operators and launching my own company, I recently decided to look at the status quo of existing self-storage website platforms. This assessment uncovered a startling and scary situation. There are many vulnerable sites in the industry that, at this very moment, are easy targets for hackers!
I decided to dig deeper into this troubling observation. I wanted to know how many websites were exposed and what platform they were using. For this article, I’m going to share my results from websites using the WordPress content-management system.
The Data That Keeps Me Up at Night
Before I reveal my findings, let me clarify a few things about the study:
- I worked with a sample of 50 self-storage websites that are operating on the WordPress platform. My selection method was random, with no specific variables to tease results in one direction or another.
- After my analysis, I notified each storage operator whose website was revealed to be in a vulnerable state. However, I didn’t disclose the list of websites to anyone.
- The methods I used to identify these sites and their vulnerabilities won’t be released to the public. That said, my techniques weren’t sophisticated, and even an amateur 14-year-old hacker could replicate what I did in less than 15 minutes.
Of the 50 websites I examined, 24 were vulnerable through various means, including but not limited to an outdated version of the WordPress platform or one of its plugins. These sites could easily be hacked. A malicious person could take control of the storage operator’s WordPress instance and potentially the server on which it’s running. These are well-documented weaknesses that can easily be researched on the Web, along with sample code to exploit them. Also, of the 50 websites, only 12 were using SSL (Secure Sockets Layer) and HTTPS ((Hyper Text Transfer Protocol Secure).
What worries me is thousands of self-storage websites are running on WordPress. If I sampled a much larger cohort, would the percentage of susceptible sites stay the same? Sadly, I think the answer is yes.
What Could a Hacker Really Do?
You’re probably wondering right now what’s the worst-case scenario if someone hacks your website. Ultimately, if the breach happens using your online systems (a website), you’re liable for any damages that occurred. Let’s review some of the nasty things a hacked website can be used for:
- Steal credit card and customer data. It’s common for a self-storage website to have application programming interface (API) integrations with the facility’s property-management software. This allows people to reserve or rent a unit or pay their bill online. If your WordPress instance is compromised, someone can easily harvest information entered by customers, including personal data and credit card information. (Think about the Target breach.) Additionally, depending on if the hacker can gain control of your server, he can make direct API calls to your software.
- Help syndicate illegal software, media and child pornography. Without your knowledge, a compromised WordPress instance can be used to distribute malware, illegal software, copyrighted media and even child pornography on the dark Web or through other sharing apparatuses. Hackers use your server to store and distribute illegal media.
- Send out spam. A common use for hacked WordPress websites is to send out large amounts of e-mail spam using your domain name. This can result in your domain getting blacklisted by major e-mail providers such as Gmail and Yahoo and make it so your customers don’t get your real messages. It’s extremely difficult to get off a blacklist and can take quite a while.
- Contribute to denial-of-service attacks. Your compromised WordPress instance and server, along with a group of others, can be used to commit denial-of-service attacks, bringing down other websites and large infrastructure.
These are just a few of the frightening things a hacker can do in a cyber-attack on your WordPress website.
How Do I Keep My WordPress Website Safe?
This is not a comprehensive list of security solutions for WordPress; think of it more as best practices. There’s far more you can do to secure your installation, its database and the server on which it runs.
- Keep WordPress updated. This is the single most important thing you can do to ensure your website’s security. While it can’t stop zero-day vulnerability hacks, it’ll ensure you’re safe from ones discovered in the past.
- Keep plugins updated. The is the second most important thing you can do. It’s very common for vulnerabilities to be discovered in WordPress plugins and used to breach sites running them.
- Prevent brute-force login attacks. This is when someone uses an automated program or script to try and guess a password. Unchecked, someone can just pound away at your WordPress installation. Consider plugins that protect against these attacks. Usually they limit how many failed logins are allowed in a specific period and, if triggered, will block access to the Internet Protocol and the account they attempted to access.
- Require question/answer verification. This is similar to, if not exactly like, CAPTCHA. Someone logging into an account for your WordPress instance must answer a question. It could be “type in these letters and numbers” or a math problem. This helps further prevent automated attacks to the login apparatus.
- Password-protect the admin and login page. This is where you use your Web server to password-protect the /wp-admin directory and wp-login.php file. Before you can even access these things, you’ll need a username and password. Generally, this is done in the .htaccess file for Apache Web server. This is a great way to fend off attacks that are directly at the core files of WordPress.
- Change the default “admin” username. Every fresh installation of WordPress creates a user called “admin” that has full access to everything. Ensure you change this username to something obscure and random, such as usr10937.
- Change the “display name” for users. When you create a new WordPress user, it’s important to ensure the “display name” is changed to something besides the username. Hackers can identify usernames this way via posts and use them to execute a brute-force attack.
- Change the default “wp_” database prefix. When you install WordPress, it asks you to create a database prefix; the default is _wp. Instead, make this something obscure and random, like zX312_. This will make it harder for hackers to do structured query language injections and other attacks that involve the WordPress database.
- Disable XML-RPC. This feature has been enabled by default since WordPress 3.5. It can be used to brute-force attack the platform and bypass any methods you’ve set up to prevent this on the login page. A hacker can literally try thousands of passwords in as little as 10 to 40 requests vs. doing 1,000 individual requests on your login page.
- Disable PHP file execution. There are some directories in your WordPress instance that shouldn’t be allowed to execute a PHP file, such as /uploads/. Attackers can find ways to force an upload and execute malicious code. Ensure you leverage your .htaccess file to block PHP file execution in the directories that don’t need it.
- Disable file editing. By default, you can edit the code of your theme files inside of the WordPress backend. If someone does compromise an account, this can make it easy for them to deploy malicious code. I always recommend people turn file editing off and require updates to be deployed server-side.
- Use strong passwords. If your passwords aren’t a minimum of 12 characters with letters, numbers and special characters, they can easily be guessed. Enforce strong password requirements to keep your accounts as secure as possible.
- Have a back-up solution. Let’s face it … Stuff happens. If your site is hacked, you’ll need to redeploy it as quickly as possible. I highly recommend you don’t try to fix it and instead do a fresh install. However, you need back-ups to do this! Ensure you deploy a proper back-up solution and retain copies going back at least 90 days, because some hacks are discovered months later.
The most effective way to prevent your WordPress website from being hacked is to ensure it’s always up to date and follow the above best practices. Failure to stay current can result in your website being defaced or, in a worst-case scenario, the theft of credit card data and personally identifiable information. The cost of keeping your platform updated and secure is far less than the liabilities you’d face in a data-theft scenario.
Stephen Sandecki has been in the self-storage industry for more than 15 years, focusing on digital marketing, technology and Web development. He recently launched Fully Charged Marketing, which provides search engine optimization, paid search, call tracking, revenue management and more. For more information, call 720.500.7272; e-mail [email protected].