Cyberattacks are on the rise everywhere and targeting small to mid-sized businesses more every year. Recent threat reports show global cyberattacks increased by 38% in 2022. Attacks rose by 57% in the United States, 77% in the United Kingdom, and 26% in Singapore. Statista estimated the global online crime cost was around USD 8.4 trillion. That’s an increase of USD 3 trillion every year since 2020.
It may be impossible to overestimate the risk of cybercrime today. There’s no doubt your business is a target. But the good news is it’s very possible to ensure your business is not a victim.
In 2023, the World Economic Forum (WEF) placed cybersecurity failure in its top five risks for the first time. The WEF’s annual Global Risks Report for 2022 notes an enormous 300% spike in state-sponsored cyber-attacks since 2020. The WEF even suggests that risk analysts have underestimated internet crime for its severity as a long-term threat.
The FBI’s Internet Computer Crime Center (IC3) reported nearly USD 7 billion in US business losses from cybercrime in 2021. That’s a 64% increase from 2020. Most victims were small businesses. Half of all Canadian small businesses — and more than half in the United States — experienced cyberattacks in 2022. For more details, see Verizon Business and the Canadian Federation of Independent Business (CFIB).
In light of these trends, it may be impossible to overestimate the risk of cybercrime today. There’s no doubt your business is a target. But the good news is it’s very possible to ensure your business is not a victim.
It’s called “spear phishing” — and you’re the fish.
Today, the fastest growing cyberattack trends target SMBs through their employees with sophisticated “spear phishing” and even “whaling” campaigns. (Whaling aims at high-profile, high-value victims like executives and board members.) In 2023, Verizon Business’ Data Breach Investigations Report showed 50% of all socially engineered attacks involved “pretexting.” Pretexting is a spear phishing tactic. Basic phishing is still common but fell to 44% of the attacks analyzed by Verizon.
Forbes reports small business employees are experiencing 350% more social engineering attacks than larger companies.
Spear phishing is a well-researched and informed social engineering approach to hacking and online fraud. It’s “phishing” that goes beyond the basic level of spammy fraud that’s shotgunned at everyone and anyone.
For example, spear phishing might involve tricking employees at a specific company into giving up sensitive information or installing malware. Forbes reports small business employees are experiencing 350% more social engineering attacks than larger companies. Malware (22%) and phishing (20%) are taking the lead as the top two most common attack methods, according to UpCity. AI tools like ChatGPT make it easier for criminals to research their targets and write convincing emails today.
Unfortunately, CNBC reports that despite being aggressively targeted, small businesses are less concerned about cybersecurity risks than larger companies. As a result, they invest significantly less in IT security. That’s unfortunate because the cost of prevention is always much, much lower than the total cost of a severe breach.
How much can a security breach cost your business?
In 2021, our friends at Patchstack found that the cost to clean a hacked WordPress site could reach USD 4,800. However, this only counts the direct remediation costs, such as hiring professionals to restore the site, remove malicious code, and harden security measures. The total cost of a compromised website can be much higher. Additional costs include lost business, incalculable damage to brand reputation, potential regulatory fines for data breaches, and the time spent resolving the issue. The larger the company, the higher the cost — generally thousands of dollars per employee and several million dollars per breach.
The total cost of a compromised website also includes lost business revenue, incalculable damage to brand reputation, potential regulatory fines for personal data breaches, and the time taken to make repairs.
Regarding ransomware, the cost of losing control of a website goes far beyond the lost daily revenue. In 2016, the New York Times reported how ransomware plagued a toy company, Rokenbok Education, during the previous holiday season. Cybercriminals infected Rokenbook’s database with malware. The attackers “encrypted company files” and demanded “a hefty ransom to unlock the data.” Rather than pay the ransom, Rokenbook rebuilt its whole system.
Previously Rokenbook had experienced a denial of service attack, which also took them offline for a while. While outages may be temporary, a few days of lost business can have a permanent cost when customers go elsewhere. The Times also reported how a denial of service attack took down the website for a large indoor skatepark. Many customers thought the business had closed permanently — a lasting, harmful misperception.
The costs of a bad breach are more than financial
These are relatively mild examples of what can happen to a business in a cyberattack. In the past ten years, ransomware attacks have steadily increased. Dark web organizations offering ransomware-as-a-service have lowered the costs of this criminal enterprise. The risks for small-to-mid-sized businesses have only gone up. According to Verizon’s 2023 data breach report, successful ransomware attacks are skyrocketing, and so are their costs:
The median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million.
Verizon Business 2023 Data Breach Investigations Report
Apart from the financial costs, having your employees targeted and your business crippled is a brutal experience to go through. It’s enraging, humiliating, and traumatic to staff morale. For an eye-opening impact assessment of a ransomware attack, read this study of a 2016 incident at a major North American university.
Protect your WordPress website with a layered defense.
Business owners should take serious steps to avoid significant losses in a cyberattack. As a WordPress site owner, you should prioritize hardening your site’s defenses and securing your user accounts to prevent denial of service attacks, data breaches, and hacks. Maintaining software updates, especially for the plugins you use, and a sensible user security policy following the principle of the least privilege are the foundational layers of a solid, proactive defense.
WordPress websites are most at risk when vulnerable plugins and themes aren’t updated or replaced. Vulnerabilities emerge over time in all software, so maintenance is essential. There is a very high probability a WordPress site with 20-30 plugins will have at least one new vulnerability if no updates have been applied for as little as a month. An equally common source of hacked websites is insecure, poorly managed user accounts with weak, stolen, or recycled passwords.
Update your software and protect your users.
Keeping your plugins updated and your user accounts secure will dramatically reduce the risk of successful exploits. Criminals target vulnerable code and insecure user accounts. They commonly target both of these weak points together. For example, attackers can exploit many plugin vulnerabilities only if they also control a user account with a certain level of privileges. Denying them easy access to user accounts makes the former attack vector irrelevant. It would be best if you covered both vectors, of course. If you ensure your site is up to date and user-level security is high, you are unlikely to experience a severe breach or hack.
Let’s look at both attack vectors and how to reduce, if not eliminate, the risk of them compromising your site and users.
Our weekly WordPress Vulnerability Report covers recent WordPress plugin, theme, and core vulnerabilities, and it explains what to do if you have a vulnerable plugin or theme on your website. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities are essential to keep the WordPress community safe.
Check daily for vulnerable plugins and themes.
As you can see in our weekly security reports, security researchers disclose many new WordPress plugin and theme vulnerabilities each week. We see a significant increase in the total number of vulnerabilities each year. 2023 is on track to set even higher records as more security researchers are working harder to secure WordPress software.
This is a good thing in the enormous WordPress space, which accounts for 43% of all websites and 64% of all CMS-driven sites. Open-source software relies on responsible disclosure to fix rather than hide bugs.
We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin lets you know if your site is running a theme, plugin, or version of WordPress core with a known vulnerability. It will also apply any available updates automatically if you activate this feature.
1. Activate iThemes Security Pro’s Site Scanner to Detect Vulnerabilities.
The iThemes Security Pro plugin’s Site Check Scanner takes aim at the number one reason why WordPress sites get hacked: outdated plugins and themes with known vulnerabilities. If you activate Site Scan Scheduling and Version Management, iThemes Security Pro will search your site twice daily for known vulnerabilities and automatically apply new security updates.
To enable the Site Scan on new installs, go to the Site Check tab in the Features menu inside the iThemes Security Pro settings screen. Click the toggle on the Site Scan Scheduling card to enable the Site Scan feature.
To trigger a manual Site Scan at any time, click the Scan Now button on the Site Scan Security Dashboard card.
If iThemes Security Pro detects a vulnerability, click the “View” link for more details.
You will see a notice if an update to patch the vulnerability is available. If a patch is available, click the Update Plugin button to apply it to your website.
2. Activate iTheme Security Pro’s Version Management to Update Vulnerable Code.
The Version Management feature in iThemes Security Pro integrates with the Site Check. It will automatically update your software to new versions if a known vulnerability exists and a patch is available. This is an excellent way to protect your site even if you miss a security update. Even the most robust security measures will fail if you run vulnerable software on your website.
Navigate to the Site Check screen from the Settings page in iThemes Security Pro. Click open the Site Check tab. From here, use the toggle to enable Version Management for WordPress core, plugins, and themes.
Select the Auto Update If Fixes Vulnerability box so that iThemes Security Pro automatically updates a plugin or theme when a vulnerability is found.
3. Activate iThemes Security Pro’s Email Alerts.
When iThemes Security Pro finds a known vulnerability on your site, it will send email alerts to Administrators or other users you specify if you activate notifications.
Once you’ve enabled Site Scan Scheduling and Version Management, head to the Notification Center settings of the plugin at Security > Settings > Notifications > Site Scan Results. On this screen, scroll to the Site Scan Results section.
Click the “Enable” box to enable notification emails. Now you can select which users will receive notifications. Click the “Save All” button to enter your changes.
During scheduled site scans, the recipients you selected will get an email if iThemes Security Pro discovers known vulnerabilities. The email will look something like this in a Gmail inbox:
Create and enforce a user-level security policy.
You can help your WordPress site users get off on the right foot with security when their accounts are created. When building sites for others, especially if new user accounts will be frequently added, you should plan an appropriate user-level security policy in iThemes Security Pro.
Your security policy should answer questions like these:
- Will you require all users to log in with Two-Factor Authentication (2FA), or will you give them a choice of login methods?
- Will you trust recognized devices and allow them to log in with a regular password but require 2FA for logins from unrecognized devices?
- Will you make Passkeys an option for some users, like Administrators?
While keeping the login process convenient and straightforward for your users, iThemes Security Pro lets you increase user authentication security to an appropriate level for those with higher privileges. Cybercriminals phishing for weak user accounts or testing stolen passwords will be unable to break through 2FA, for example. And if your users have passkeys or use another passwordless login, there are no passwords to steal from them.
Here’s an example of a security policy you might implement with iThemes Security Pro to require more robust authentication methods for higher-privilege user roles:
- All Users:
- Require: Strong Passwords
- Require: Periodic Password Resets
- Optional: Two-Factor Authentication
- Optional: Passwordless Login
- Authors, Editors, and Administrators:
- Require: Two-Factor Authentication
- Optional: Passkeys
For back-end users, you might also activate other features, like Activity Logging. You may want to monitor what they do on the site since they can add and modify the content or even change WordPress’s functionality. It’s your call — you can set up any security policies you want.
1. Activate Login Security Features.
Turn on the login security features you wish to use in the Settings › Login Security section of iThemes Security Pro, as shown below. Once Two-Factor Authentication, Passwordless Login, and Passkeys are enabled, you can require or optionally allow designated users to use them.
2. Organize Users and Roles into Security Groups.
WordPress organizes user accounts into a hierarchy of access role groups with different privileges. From administrators who control everything to subscribers, contributors, and authors with limited commenting and posting privileges, iThemes Security Pro lets you sort your users into custom security groups you create. This way, you can establish the login security requirements (among other things) for one or more user groups or even specific individual users.
You can’t create new user roles in WordPress with iThemes Security Pro, but you can add any of the roles created by WordPress and various plugins to the security groups you create in iThemes Security Pro. This makes user security management easier for you and anyone who maintains the site.
3. Enforce Login Security Rules for Specific Users and Groups.
Now, under Security › User Groups › Your Custom Group, you can select the security requirements for users in this group. Here the “Test Group” has stricter password requirements than the default:
User Groups in iThemes Security Pro are a powerful tool for quickly grouping together any number of users or user groups and requiring them to adopt stronger security practices based on their roles and privileges. You can set up an effective site security management system and dashboard with iThemes Security Pro. This is incredibly useful for high-value eCommerce, Membership, and Community sites with many users who often can create their own accounts.
Together with timely updates and vigilant checking for vulnerabilities, iThemes Security Pro’s user-level security controls will significantly reduce the risk of a breach by closing the two main attack vectors for WordPress websites: insecure plugins and insecure user accounts.
Security is a way of thinking, not a one-and-done activity.
The rising tide of cyberattacks, especially on small to mid-sized businesses, underscores the urgent need for adequate cybersecurity measures. As spear phishing and social engineering attacks become increasingly sophisticated, businesses must fortify their defenses or risk crippling losses. This is especially true for WordPress site owners, where a lack of maintenance and security thinking heightens the risk of attack. Outdated plugins, themes, and weak user account security practices ensure attackers have a constant supply of vulnerabilities to exploit.
Cybersecurity is no longer a luxury but a critical requirement for every business, large or small. In the form of layered defenses and hardened security, investing in prevention can save companies from the costs of a security breach and the potential loss of brand reputation and customer trust. Proactive defenses and site hardening tools like iThemes Security Pro will help you protect your site and users by raising the bar for user login security. By identifying potential vulnerabilities and applying timely updates, iThemes Security Pro will help you close the other major security risk factor as a WordPress site owner.
However, cybersecurity is not a one-off task that can be delegated entirely to software automation. It’s an ongoing commitment involving regular site checks and oversight for your users, especially those with higher access privileges. It requires establishing strong user-level security policies and informing your team about the latest threats.
Finally, businesses must remember that cybersecurity is a shared responsibility. We can mitigate the risks and protect our online spaces from cybercriminals by working together.
Responsible Disclosure: Security the WordPress Way
You might be wondering why a vulnerability would be disclosed if it gives hackers an exploit to attack. Security researchers who find vulnerabilities generally report them privately to the owner of the vulnerable code and the software developers responsible for it.
But it won’t remain a secret for long, and it shouldn’t.
With responsible disclosure, the researcher’s initial report is made privately to the developers and the company responsible for the software on the understanding that the full details will be published once a patch has been made available. There may be a slight delay in disclosing the vulnerability for significant security vulnerabilities to give more people more time to apply the patch.
The security researcher may provide a deadline for the software developer to respond to the report or to provide a patch. If this deadline is not met, the researcher may publicly disclose the vulnerability to pressure the developer to issue a patch.
Publicly disclosing a vulnerability and seemingly introducing a Zero-Day vulnerability — a type of vulnerability that has no patch and is being exploited in the wild — may seem counterproductive. But, it is the only leverage a researcher has to pressure the developer to patch the vulnerability.
If a hacker were to discover the vulnerability, they could quietly use the exploit and cause damage to the end-user (this is you) while the software developer leaves the exposure unpatched. Google’s Project Zero has similar guidelines when it comes to disclosing vulnerabilities. They publish the full details of the vulnerability after 90 days, whether or not it has been patched.
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be challenging to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.
