WordPress Security

Small Business Cyberattacks and Spear Phishing: Are You at Risk?

Cyberattacks are increasing globally and targeting small to mid-sized businesses. Learn how to protect your business and WordPress website.

Dan Knauss

Cyberattacks are on the rise everywhere and targeting small to mid-sized businesses more every year. Recent threat reports show global cyberattacks increased by 38% in 2022. Attacks rose by 57% in the United States, 77% in the United Kingdom, and 26% in Singapore. Statista estimated the global online crime cost was around USD 8.4 trillion. That’s an increase of USD 3 trillion every year since 2020.

In 2023, the World Economic Forum (WEF) placed cybersecurity failure in its top five global risks for the first time. The WEF’s annual Global Risks Report for 2022 notes an enormous 300% spike in state-sponsored cyber-attacks since 2020. The WEF even suggests that risk analysts have underestimated internet crime for its severity as a long-term threat.

The FBI’s Internet Computer Crime Center (IC3) reported nearly USD 7 billion in US business losses from cybercrime in 2021. That’s a 64% increase from 2020. Most victims were small businesses (CNBC). Half of all Canadian small businesses — and more than half in the United States — experienced cyberattacks in 2022. For more details, see Verizon Business and the Canadian Federation of Independent Business (CFIB).

In light of these trends, it may be impossible to overestimate the risk of cybercrime today. There’s no doubt your business is a target. But the good news is it’s very possible to ensure your business is not a victim.

Small Business Spearfishing
Small Business Spearfishing

It’s called “spear phishing” — and you’re the fish.

Today, the fastest growing cyberattack trends target SMBs through their employees with sophisticated “spear phishing” campaigns. Spear phishing is a well-researched and informed social engineering approach to hacking and online fraud. It’s “phishing” that goes beyond the basic level of spammy fraud that’s blindly shotgunned at everyone and anyone. Spear phishing has a specific target in mind. For example, spear phishing might involve tricking employees at a specific company into giving up sensitive information or installing malware. It’s called “whaling” when the target is a high-profile, high-value individual like an executive or board member.

Forbes reports small business employees are experiencing 350% more social engineering attacks than larger companies.

In 2023, Verizon Business’ Data Breach Investigations Report showed that 50% of all socially engineered attacks involved “pretexting.” Pretexting is a spear phishing tactic that targets individuals with compelling text messages to gain their trust.  

AI tools like ChatGPT make it easier for criminals to research their targets and write convincing emails in any language. As a result, basic phishing is still common but fell to 44% of the attacks analyzed by Verizon in 2023. It’s the more sophisticated spear phishing attacks that are increasing, and they’re increasingly targeting organizations with fewer than 1,000 or even 500 employees.

Targeted attacks on small businesses are effective and costly.

Forbes reports small business employees are experiencing 350% more social engineering attacks than larger companies. Barracuda Networks’ Spearphishing Report posted similar numbers. Malware (22%) and phishing (20%) are currently taking the lead as the top two most common attack methods, as reported by UpCity’s 2022 cybersecurity survey of 600 business owners and IT professionals across the United States.

With more numerous and sophisticated attacks come higher costs of remediation. According to IBM and the Ponemon Institute’s 2023 Cost of a Data Breach Report:

“Smaller organizations faced considerably higher data breach costs than [in 2022] In 2023, organizations with more than 5,000 employees saw the average cost of a data breach decrease compared to 2022. On the other hand, those with 5,000 or fewer employees saw considerable increases in the average cost of a data breach. Organizations with fewer than 500 employees reported that the average impact of a data breach increased from USD 2.92 million to USD 3.31 million, or 13.4%. Those with 500–1,000 employees saw an increase of 21.4%, from USD 2.71 million to USD 3.29 million.”

IBM Security, Cost of a Data Breach Report (2023)

Unfortunately, CNBC reports that despite being aggressively targeted, small businesses are less concerned about cybersecurity risks than larger companies. As a result, they invest significantly less in IT security. That’s unfortunate because the cost of prevention is always much, much lower than the total cost of a severe breach. And those costs are only rising.

How much can a security breach cost your business?

In 2021, our friends at Patchstack found that the cost to clean a hacked WordPress site could be as high as USD 4,800. However, this only counts the direct remediation costs, such as hiring professionals to restore the site, remove malicious code, and harden security measures. The total cost of a compromised website can be much higher. Additional costs include lost business, incalculable damage to brand reputation, potential regulatory fines for data breaches, and the time spent resolving the issue. The larger the company, the higher the cost — generally thousands of dollars per employee and several million dollars per breach.

The total cost of a compromised website also includes lost business revenue, incalculable damage to brand reputation, potential regulatory fines for personal data breaches, and the time taken to make repairs.

Regarding ransomware, the cost of losing control of a website goes far beyond the lost daily revenue. In 2016, the New York Times reported how ransomware plagued a toy company, Rokenbok Education, during the previous holiday season. Cybercriminals infected Rokenbook’s database with malware. The attackers “encrypted company files” and demanded “a hefty ransom to unlock the data.” Rather than pay the ransom, Rokenbook rebuilt its whole system.

Previously Rokenbook had experienced a denial of service attack, which also took them offline for a while. While outages may be temporary, a few days of lost business can have a permanent cost when customers go elsewhere. In the same article, the Times reported how a denial of service attack took down the website for a large indoor skatepark on Staten Island. Many customers thought the business had closed permanently — a lasting, harmful misperception.

The costs of a bad breach are more than financial

These are relatively mild examples of what can happen to a business in a cyberattack. In the past ten years, ransomware attacks have steadily increased. Dark web organizations offering ransomware-as-a-service have lowered the costs of this criminal enterprise. The risks for small-to-mid-sized businesses have only gone up. According to Verizon’s 2023 data breach report, successful ransomware attacks are skyrocketing, and so are their costs:

The median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million.

Verizon Business 2023 Data Breach Investigations Report

Apart from the financial costs, having your employees targeted and your business crippled is a brutal experience to go through. It’s enraging, humiliating, and traumatic to staff morale. For an eye-opening impact assessment of a ransomware attack, read this study of a 2016 incident at a major North American university.

Protect your WordPress website with a layered defense.

Business owners should take serious steps to avoid significant losses in a cyberattack. As a WordPress site owner, you should prioritize hardening your site’s defenses and securing your user accounts to prevent denial of service attacks, data breaches, and hacks. Maintaining software updates, especially for the plugins you use, and a sensible user security policy following the principle of the least privilege are the foundational layers of a solid, proactive defense.

WordPress websites are most at risk when vulnerable plugins and themes aren’t updated or replaced. Vulnerabilities emerge over time in all software, so maintenance is essential. There is a very high probability a WordPress site with 20-30 plugins will have at least one new vulnerability if no updates have been applied for as little as a month. An equally common source of hacked websites is insecure, poorly managed user accounts with weak, stolen, or recycled passwords.

Update your software and protect your users.

Keeping your plugins updated and your user accounts secure will dramatically reduce the risk of successful exploits. Criminals target vulnerable code and insecure user accounts. They commonly target both of these weak points together. For example, attackers can exploit many plugin vulnerabilities only if they also control a user account with a certain level of privileges. Denying them easy access to user accounts makes the former attack vector irrelevant. It would be best if you covered both vectors, of course. If you ensure your site is up to date and user-level security is high, you are unlikely to experience a severe breach or hack.

Let’s look at both attack vectors and how to reduce, if not eliminate, the risk of them compromising your site and users.

Get SolidWP tips direct in your inbox

Sign up

This field is for validation purposes and should be left unchanged.
Placeholder text
Placeholder text
Thanks

Oops something went wrong, please try submitting again

Get started with confidence — risk free, guaranteed

Our weekly WordPress Vulnerability Report covers recent WordPress plugin, theme, and core vulnerabilities, and it explains what to do if you have a vulnerable plugin or theme on your website. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities are essential to keep the WordPress community safe.

Check daily for vulnerable plugins and themes.

As you can see in our weekly security reports, security researchers disclose many new WordPress plugin and theme vulnerabilities each week. We see a significant increase in the total number of vulnerabilities each year. 2023 is on track to set even higher records as more security researchers are working harder to secure WordPress software.

This is a good thing in the enormous WordPress space, which accounts for 43% of all websites and 64% of all CMS-driven sites. Open-source software relies on responsible disclosure to fix rather than hide bugs.

We know it can be difficult to stay on top of every reported vulnerability disclosure, so the Solid Security Pro plugin lets you know if your site is running a theme, plugin, or version of WordPress core with a known vulnerability. It will also apply any available updates automatically if you activate this feature.

1. Activate Solid Security Pro’s Site Scanner to Detect Vulnerabilities.

The Solid Security Pro plugin’s Site Check Scanner takes aim at the number one reason why WordPress sites get hacked: outdated plugins and themes with known vulnerabilities. If you activate Site Scan Scheduling and Version Management, Solid Security Pro will search your site twice daily for known vulnerabilities and automatically apply new security updates.

To enable the Site Scan on new installs, go to the Site Check tab in the Features menu inside the Solid Security Pro settings screen. Click the toggle on the Site Scan Scheduling card to enable the Site Scan feature.

Solid Security setting for scheduled site scans
Navigate to Security › Settings › Features › Site Check to set up twice daily vulnerability scanning.

To trigger a manual Site Scan at any time, click the Start Site Scan button in the Site Scan section, as shown below. (Security › Site Scans)

Solid Security Site Scans
Check your recent site scan results and run new scans.

The scan results may pinpoint high, medium, or low-severity risks in user accounts or vulnerable software on your site.

These Site Scan results point out potential weaknesses in an administrator account with weak login security.

If Solid Security Pro detects a potential threat or vulnerability, click the “View Detail” link to learn more so you can take appropriate action.

You will see a notice if a vulnerability in WordPress, a theme, or a plugin has emerged. If a patch is available, click the Update Plugin button to apply it to your website.

Solid-Security-Pro-8-Patchstack-Vulnerability-Details
Solid Security Site Scan’s vulnerability data is powered by Patchstack.

2. Activate Solid Security Pro’s Version Management to Update Vulnerable Code.

The Version Management feature in Solid Security Pro integrates with the Site Check. It will automatically update your software to new versions if a known vulnerability exists and a patch is available. This is an excellent way to protect your site even if you miss a security update. Even the most robust security measures will fail if you run vulnerable software on your website.

Navigate to the Site Check screen from the Settings page in Solid Security Pro. Click open the Site Check tab. From here, use the toggle to enable Version Management for WordPress core, plugins, and themes.

Select the Auto Update If Fixes Vulnerability box so that Solid Security Pro automatically updates a plugin or theme when a vulnerability is found.
Activate Version Management for instant security updates to vulnerable code. Click the last checkbox, Auto Update If Fixes Vulnerability.

3. Activate Solid Security Pro’s Email Alerts.

When Solid Security Pro finds a known vulnerability on your site, it will send email alerts to Administrators or other users you specify if you activate notifications.

Once you’ve enabled Site Scan Scheduling and Version Management, head to the Notification Center settings of the plugin at Security > Settings > Notifications > Site Scan Results. On this screen, scroll to the Site Scan Results section.

Ensure appropriate users are notified when Solid Security Pro discovers vulnerable code or users.

Click the “Enable” box to enable notification emails. Now you can select which users will receive notifications. Click the “Save All” button to enter your changes.

During scheduled site scans, the recipients you selected will get an email if Solid Security Pro discovers known vulnerabilities.

Important: You should never mute a vulnerability notification until you have confirmed your current version includes a security fix, or you’ve confirmed the vulnerability doesn’t affect your site.

Create and enforce a user-level security policy.

You can help your WordPress site users get off on the right foot with security when their accounts are created. When building sites for others, especially if new user accounts will be frequently added, you should plan an appropriate user-level security policy in Solid Security Pro.

Your security policy should answer questions like these:

  • Will you require all users to log in with Two-Factor Authentication (2FA), or will you give them a choice of login methods?
  • Will you trust recognized devices and allow them to log in with a regular password but require 2FA for logins from unrecognized devices?
  • Will you make Passkeys an option for some users, like Administrators?

While keeping the login process convenient and straightforward for your users, Solid Security Pro lets you increase user authentication security to an appropriate level for those with higher privileges. Cybercriminals phishing for weak user accounts or testing stolen passwords will be unable to break through 2FA, for example. And if your users have passkeys or use another passwordless login, there are no passwords to steal from them.

Here’s an example of a security policy you might implement with Solid Security Pro to require more robust authentication methods for higher-privilege user roles:

  1. All Users:
    • Require: Strong Passwords
    • Require: Periodic Password Resets
    • Optional: Two-Factor Authentication
    • Optional: Passwordless Login
  2. Authors, Editors, and Administrators:
    • Require: Two-Factor Authentication
    • Optional: Passkeys

For back-end users, you might activate other features, like Activity Logging. You may want to monitor what they do on the site since they can add and modify the content or even change WordPress’s functionality. It’s your call — you can set up any kind of security policy you need.

1. Activate Login Security Features.

Turn on the login security features you wish to use in Solid Security Pro’s Settings › Login Security section, as shown below. Once Two-Factor Authentication, Passwordless Login, and Passkeys are enabled, you can require or optionally allow designated users to use them.

Solid Security Pro adds several layers of security to WordPress’s user login process. Once activated, these security features can be offered as options or required for specific users and user groups.

Temporary Privilege Escalation is a feature in Solid Security Pro for temporarily increasing privileges for one or more users for a specific period. After that time passes, their privileges will be revoked automatically. Ensure your admin team uses this feature and never hand out high-level access privileges without restrictions. Even people you trust, like your web host’s support techs, do not need and should not have open-ended access to the WordPress admin interface.

2. Organize Users and Roles into Security Groups.

WordPress organizes user accounts into a hierarchy of access role groups with different privileges. From administrators who control everything to subscribers, contributors, and authors with limited commenting and posting privileges, Solid Security Pro lets you sort your users into custom security groups you create. This way, you can establish the login security requirements (among other things) for one or more user groups or even specific individual users.

All users who are Administrators or who have the same capabilities as Administrators have been selected here to create a a combined “Administrators” group.

You can add combine of the role groups created by WordPress and various plugins to the security groups you create in Solid Security Pro. This makes user security management easier for you and anyone who maintains the site.

3. Enforce Login Security Rules for Specific Users and Groups.

Now, under Security › User Security › Your Custom Group, you can select the security requirements for users in this group. Here, the “Test Group” has stricter password requirements than the default:

User Groups in Solid Security Pro are a powerful tool for quickly grouping together any number of users or user groups and requiring them to adopt stronger security practices based on their roles and privileges. You can set up an effective site security management system and dashboard with Solid Security Pro. This is incredibly useful for high-value eCommerce, Membership, and Community sites with many users who often can create their own accounts.

Combined with timely updates and vigilant checking for vulnerabilities, Solid Security Pro’s user-level security controls will significantly reduce the risk of a breach by closing the two main attack vectors for WordPress websites: insecure plugins and insecure user accounts.

Agencies and Freelancers! As a value-added service, you can help your clients manage their security with Solid Security Pro’s user groups and custom dashboard features. Educate them about user-level security, help them establish a policy, and then set up the rules and workflows to effectively manage it.

Security is a way of thinking, not a one-and-done activity.

The rising tide of cyberattacks, especially on small to mid-sized businesses, underscores the urgent need for adequate cybersecurity measures. As spearfishing and social engineering attacks become increasingly sophisticated, businesses must fortify their defenses or risk crippling losses. This is especially true for WordPress site owners, where a lack of maintenance and security thinking heightens the attack risk. Outdated plugins, themes, and weak user account security practices ensure attackers have a constant supply of vulnerabilities to exploit.

Cybersecurity is no longer a luxury but a critical requirement for every business, large or small. In the form of layered defenses and hardened security, investing in prevention can save companies from the costs of a security breach and the potential loss of brand reputation and customer trust. Proactive defenses and site hardening tools like Solid Security Pro will help you protect your site and users by raising the bar for user login security. By identifying potential vulnerabilities and applying timely updates, Solid Security Pro will help you close the other major security risk factors as a WordPress site owner.

However, cybersecurity is not a one-off task that can be delegated entirely to software automation. It’s an ongoing commitment involving regular site checks and oversight for your users, especially those with higher access privileges. It requires establishing strong user-level security policies and informing your team about the latest threats.

Finally, businesses must remember that cybersecurity is a shared responsibility. By working together, we can mitigate the risks and protect our online spaces from cybercriminals.

Responsible Disclosure: Security the WordPress Way

You might be wondering why a vulnerability would be disclosed if it gives hackers an exploit to attack. Security researchers who find vulnerabilities generally report them privately to the owner of the vulnerable code and the software developers responsible for it.

But it won’t remain a secret for long, and it shouldn’t.

With responsible disclosure, the researcher’s initial report is made privately to the developers and the company responsible for the software on the understanding that the full details will be published once a patch has been made available. There may be a slight delay in disclosing the vulnerability for significant security vulnerabilities to give more people more time to apply the patch.

The security researcher may provide a deadline for the software developer to respond to the report or to provide a patch. If this deadline is not met, the researcher may publicly disclose the vulnerability to pressure the developer to issue a patch.

Publicly disclosing a vulnerability and seemingly introducing a Zero-Day vulnerability — a type of vulnerability that has no patch and is being exploited in the wild — may seem counterproductive. But, it is the only leverage a researcher has to pressure the developer to patch the vulnerability.

If a hacker were to discover the vulnerability, they could quietly use the exploit and cause damage to the end-user (this is you) while the software developer leaves the exposure unpatched. Google’s Project Zero has similar guidelines when it comes to disclosing vulnerabilities. They publish the full details of the vulnerability after 90 days, whether or not it has been patched.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Did you like this article? Spread the word: