You have a WordPress site, are you at risk?

The short answer, yes. WordPress is a perfect storm for hacking. Most sites are setup by amateurs or junior programmers with little or no security knowledge. Those coders are using themes and plugins that they didn’t develop, bought from overseas programmers through the internet. Most sites are put on low cost hosting plans that require no security safeguards and have little or no oversight.

And since there are over 75 million WordPress sites, hackers scan the internet specifically for soft targets and attack them with bots and scripts. All sites big and small are under constant assault from these kinds of probing attacks. Even small companies we work with such as home inspectors, pizza shops and healthcare consultants see attempts from places like Russia, China, Brazil and Lawrenceville. Not to mention our larger partners that see thousands of attacks a day.

But I don’t collect credit card information!

Most people think the goal of hacking is to capture customer financial data. And while that is something that hackers attempt to steal, they are also after non-financial data and control over the web site or server. So most of the people we speak with think they are not a target for hacking when actually they are, even though they don’t sell anything online or their site doesn’t collect credit card numbers. The hackers are looking for soft targets to collect non-financial data so that they can try to collect enough information to steal a person’s identity.

This has taken hacking to a new level since most web sites collect some customer data with a ‘contact us’ form or a ‘sign up for our newsletter’ form. All that form data is stored in the same database that holds your WordPress pages and posts. Although not as good as financial data it’s still worth a lot to hackers, especially ones that share data and can cross reference it with other breached information.

If I get hacked, I’m not liable for damages, right?

If a web site intrusion occurs and customer data is stolen, it is the responsibility of the web site owner to report it. For example in the state of Pennsylvania the owner might be liable for up to $200 per customer to provide ongoing identity protection.

From Pennsylvania’s Breach of Personal Information Act – The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure.

So the form on the web site that has collected 400 names and email addresses for your newsletter might cost $80,000 in identity protection costs if stolen. Most companies carry around $5,000 in a cyber clause in their business insurance, which leaves a $75,000 liability for the web site owner. Ouch. And that doesn’t include the cost of tracking down and informing the customers, fixing the web site and paying to train the staff on how to handle this problem if it happens again. A typical web site hack might cost a company upwards of $200,000.