Why the IoT Threatens Your WordPress Site (and How to Fix It)

This article was sponsored by Incapsula. Thank you for supporting the partners who make SitePoint possible.

Distributed denial of service (DDoS) attacks are increasingly a fact of life for any business with a web presence. For any company, large or small, it’s no longer a matter of “if” you will get hit with a DDoS attack, but “when.” And without a third party provider like Incapsula, WordPress sites are increasingly vulnerable to bots delivering DDoS attacks.

The more popular a platform is, the more likely it’ll become a target for attacks. And WordPress is by far the most popular platform on the Internet. The CMS accounts for nearly 60 percent of market share and comprises a staggering 25 percent of all sites across the web. Of all those millions of sites, 60 percent are running older version of WordPress, or newer, but unpatched versions that are vulnerable to becoming bots to participate in an attack.

Based on industry reports and current trends, the prevalence of DDoS assaults is increasing at a rapid pace and recovering from the damage of an attack can also take months or years. Over half of the respondents in an Incapsula survey (52 percent) reported their organization had to replace software/hardware, or that it had lost revenue. An additional 43 percent confirmed that their organization lost consumer trust.

Patching WordPress Won’t Stop a DDoS Attack

“The biggest security vulnerability is an outdated WordPress component,” says Eric Murphy, Director of Security at WP Engine. “The most important thing people should be doing is ensuring their WordPress core, themes and plugins are all kept up-to-date. Understanding the OWASP Top 10 further enables users, developers and engineers to protect their WordPress assets.”

Murphy’s right. Patching your WordPress site will keep your site stable and prevent a lot of attacks. But it can’t stop a determined DDoS attack. Even if you employ the most diligent WordPress admin to stare at a screen, who tests and applies patches as soon as they're released, and tirelessly keeps the site up-to-date, your site can still be brought to its knees by a DDoS attack — costing your business sales, resources and reputation.

Another reason your site is vulnerable to DDoS attacks is because they’re sourced from a growing matrix of unpatched IoT devices that span the Internet. Many (most?) vendors who are bringing devices online aren't prioritizing security and instead opt for customers’ ease-of-use. The reasoning is that whenever an extra layer of security is required, it could potentially affect sales.

Yet another reason that security is an afterthought for IoT devices — even in the age of the DDoS hack — is that vendors are bringing their products to market as quickly as possible. If they get it to market first, they can win or even dominate market share. So the product is dropped with an immature or even non-existent security framework with a plan to fix the security issues later. But in the meantime, your WordPress site is hit again by another attack vector.

The Trouble with IoT

The proliferation of IoT devices is directly increasing the number and strength of DDoS attacks. Nearly any smart device can be leveraged in a DDoS attack. A couple of white hat hackers demonstrated how a Nest thermostat could be used to extort money from its users. Nest is owned by Google and can afford to patch the vulnerabilities, yet many smaller companies with IoT devices cannot afford to regularly patch them.

Continue reading %Why the IoT Threatens Your WordPress Site (and How to Fix It)%

by Dino Londis via SitePoint