In January, users of the popular WPML WordPress plugin received a concerning email. It warned that there were serious security vulnerabilities in the plugin. The email came from a genuine WPML address, and customers had no reason to think it wasn’t legitimate. WPML is used on tens of thousands of WordPress sites, and a critical unpatched vulnerability could have been a security nightmare.
Except there was no vulnerability, and the email had been sent by a disgruntled former employee who had gained access to WPML infrastructure. The attacker used an old SSH password to gain access.
Insider attacks are not as rare as you might think. In a recent survey, 53% of respondents said that their organization had suffered an insider attack in the last year. Insiders are implicated in just under a third of all cybercrime breaches. A PwC survey showed that employees, service providers, and contractors are responsible for a huge number of security breaches. A third of executives reported that online crimes perpetrated by trusted insiders caused financial and reputation losses to their organization.
Insider threats are challenging to defend against. A certain level of trust is required for employees to do their jobs. If they choose to abuse that trust, there’s little a business owner can do about it until the damage is done. But there are steps that security conscious business owners can take to limit the risk of insider threats to their WordPress business.
Give Every Employee Their Own Account
Every employee and freelance developer, designer, or marketer should be given their own user account if they need an account at all. For every application or server they need access to, a unique account should be created just for them. There should be no shared accounts.
It is often more convenient to use shared accounts, which is perhaps what happened in the case of WPML. There should be no “old SSH” accounts to be used by anyone who happens to know the password. Consider how many other ex-employees and contractors may have had access to the same account.
Limit Access Using WordPress’ Roles And Capabilities
WordPress comes with a range of user roles, each of which has associated capabilities. A user given the Administrator role has full control over all admin features on a site. An Editor can publish and manage their own posts and the posts of others. An Author can only publish and manage their own posts.
Because you give everyone their own account, you can restrict their privileges to those they need to do their job.
Delete Accounts As Soon As An Employee Leaves
The main benefit of giving everyone their own account is that it can be deleted immediately if they leave. Once the departing employee’s accounts are deleted, they no longer have access to do mischief. When you hire a writer and give them access to publish content on your WordPress site, it’s a bad idea to let them keep their access forever.
Keep a record of which accounts an employee has access to, and delete them as soon as possible.
Giving everyone an account with limited privileges is security commonsense, but it doesn’t help if employees share their passwords. There are many reasons to share passwords, and it is often convenient to give a co-worker a password so that they can access features and data they wouldn’t ordinarily be able to. But sharing passwords undermines security. Employees and contractors should be made aware of the risk and discouraged from sharing authentication credentials.
The security precautions we have covered are widely acknowledged to be the right thing to do, but they are rarely implemented. Why? Because it is inconvenient, creates extra work, and costs money. However, taking security precautions is not as inconvenient as the financial and reputational havoc of a security breach caused by an insider.