Secure together: Managing your WordPress access during coronavirus

If a week is a long time in politics, then it’s a veritable aeon when it comes to economy-collapsing, pub-closing, sports-halting pandemics.

In the space of a few days, we’ve gone from mild concern as we looked at statistics, to frustration as pubs and restaurants closed, to cautiously stocking up on supplies, and eventually to a numbing acceptance that we’re all going to be stuck inside for the foreseeable future.

Updates have come at us so frequently that the world has become unstuck in time; the days of visiting friends and being able to buy rice seem so long ago that they’re starting to feel like distant, half-forgotten dreams.

Indeed, perhaps the most unsettling aspect of all this is how quickly the things we’ve built our lives around have been tossed aside. If football and concerts and socialising and personal space don’t matter any more, then what does?

We’re not here to answer those questions, but we can help you navigate what’s important in the workplace, which – as ever – is to remain safe and productive.

This new series is designed to bring us together during the coronavirus pandemic. Each week, we’ll share stories of how our team is overcoming the challenges of this strange new reality, and give you pointers on how to stay secure in your temporary work environment.

At home with… a copywriter

Copywriting is one of the few occupations relatively unaffected by the coronavirus pandemic, but as IT Governance’s blog writer Luke Irwin explains, there are security issues that writers should be aware of when establishing their home office set-up.

While many people’s work lives have been turned upside down in the past two weeks, whether that’s because they’re out of a job, overrun with work or scrabbling to find ways to work from home, many professional writers will have barely noticed a difference.

We are fortunate that our jobs can be done from almost anywhere and require little face-to-face communication. Many of us already work from home on an occasional or full-time basis, so our work routines will be a rare piece of continuity in this otherwise turbulent time.

However, one major problem that IT Governance faced during the pandemic was how to get its content live. We are among the millions of organisations that host our content on WordPress, which is notoriously vulnerable to cyber attacks.

That’s not necessarily a knock against the CMS (content management system). With such a large userbase and countless plugins that can be applied and therefore exploited, it’s inevitably going to be targeted by cyber criminals.

When criminal hackers exploited a privilege escalation vulnerability in 2017, defacing 1.5 million WordPress-run sites, researchers noted just how difficult it is for the CMS to prevent attacks. IBM X-Force published a report noting that:

“[T]he sheer quantity of WordPress-based sites makes them natural targets for spammers and cybercriminals who compromise legitimate websites to freely host their own malicious content.

“And since so many sites are based on the same code, finding just one vulnerability can mean compromising the lot of them, a practice that black-hat hackers apply to any type of platform.”

Business Continuity and The Pandemic Threat

IT Governance had a simple solution to mitigate these risks: it implemented strict controls on who could access the CMS and from where. Unless you logged on from a whitelisted IP address – those associated with our offices – you would be denied entry.

This protects us from a range of threats, including the types of privilege escalation vulnerability that allowed criminal hackers to run rampant on sites back in 2017.

Likewise, it protected us from credential-stuffing attacks and other password breaches, ensuring that even if an unauthorised party accessed the login details of one of our sites, they wouldn’t be able to do anything with them unless they breached our physical perimeter.

Until now, there had been no problems with this system. I would upload blogs when I was in the office, and the days when I wasn’t, a colleague would do it for me.

But now no one is in the office. That put us in a tough spot, because even I thought it would be a tough sell to say that blogging was an ‘essential service’.

Obviously, as important as our blogs are, we wouldn’t jeopardise our safety – and the safety of those around us – to go into the office to upload them. Particularly not when there was simpler, safer solution in the form of two-factor authentication.

Keeping secure with two-factor authentication

In its simplest form, two-factor authentication is an added layer of protection when signing into a service. Users are required to enter a password as normal, but they should also provide a second piece of information that confirms that they have legitimate access to the system.

This is typically either a possession factor (such as a code sent to your phone or email addresses) or an inherent factor (such as a fingerprint scan).

Our IT team was able to implement two-factor authentication in a matter of hours so that a select number of home workers can log in to WordPress.

One of the few knocks against this mechanism – that it can be exploited if a malicious actor steals the device where the possession or inherent factor is stored – poses little risk under these circumstances.

After all, employees shouldn’t be leaving the house with their work equipment, so unless they happen to live with a criminal hacker, there’s nothing to worry about.

This issue will of course have to be reviewed at such a time when we are allowed out of our homes and back into the office, but for time being, it’s a resilient solution to a major threat.

WordPress, like many third-party services, comes with multi-factor functionality, and a time when information security risks pose such a huge threat, we urge you to implement the mechanism to protect your organisation.

You can find out more by reading Mark Stanislav’s Two-Factor Authentication.

This guide explains:

  • How two-factor authentication works and which factors are appropriate for your organisation;
  • Why the mechanism is essential for protecting your business; and
  • How to implement two-factor authentication on your systems.

Our top tip for working from home

For those who aren’t used to working remotely, the sudden request to pack up your equipment and stay at home may have forced you into an improvised workstation.

Hopefully you have a desk, or at the very least a dining table, to work from, but many people will have to resort more rudimentary arrangements, while others will use this an opportunity to embrace the chaos. Why not work from bed? Or on the floor?

Whatever your set-up, it’s almost certainly less convenient than the office. Fortunately, one of few things that can keep you going is knowing that you’re doing this for the greater good, and that hundreds of millions of people across the globe are in the same situation as you.

Indeed, hashtags such as #WFH have been trending on Twitter this week with people demonstrating their work environment, while the Reddit community r/workplaces has seen a huge influx in posts.

It’s great to see people coming together like this, but before you upload pictures and videos of your new workplaces, remember this is your work desk and, as such, you might have sensitive company information on it.

Please make sure that any pictures or video you share don’t include things such as your passwords pinned to the wall, internal links on your screen or company information on documents on your desk.

One virus is enough

The coronavirus pandemic is causing a variety of security problems for organisations. We’ll continue to detail them in this weekly blog, but you can find more information on our website.

Nobody knows what the full effect of the virus will be yet, but one thing that’s for sure is that you have enough to worry about without the threat of a cyber attack or data breach.

We’ve compiled a series of solutions to help you prepare for whatever the next few weeks and months have in store.

How we can help

One Response

  1. Alice 29th March 2020