THE BLOG
04/29/2013 04:06 pm ET Updated Jun 29, 2013

WordPress Hackers Serve Up Cautionary Tale to Small Businesses

What company today operates without a website? Practically every firm in every business segment has a web-facing front end to act as a customer store front and product or service information channel.

If your company's website 'goes down' for any reason, the loss of face and reputation can be long lasting in front of customers who quickly become disenchanted by lack of service.

With this 'reliance' on website uptime in mind, some valuable lessons were highlighted earlier this month by the hack that occurred on the very popular open source web content management tool WordPress. The service was attacked and will have alarmed the hundreds of thousands of small to medium sized businesses (SMBs) who use WordPress as the engine behind their web presence. Maybe you were one of the many firms inconvenienced by the botnet behind this attack.

A total of some 64 million websites are built using WordPress and an estimated 371 million people read the content that is posted through this service in any one month.

The BBC News service this month reported that the botnet targets WordPress users with the username "admin," trying thousands of possible passwords. Surprising though it may sound, many users still exist with the "admin" username left unchanged from the point of initial sign in, thus leaving themselves more susceptible to malware based attacks of this kind. Other users with more personalized usernames are also thought to have been affected.

The attack itself began a week after WordPress confirmed that it had improved its own security systems by introducing an (albeit it optional) two-step authentication log-in option.

According to instructions from WordPress itself, "When you log in to your WordPress.com account, we'll prompt you to enter a secret number. To get that secret number, you'll need to download the Google Authenticator App on your smartphone. It generates a new number every 30 seconds, making it virtually impossible to guess."

Again turning to the BBC report, it appears that this attack was perpetrated by hackers using what was described as a "relatively weak" botnet constructed by a group connection of home PCs. This network was then engineered to build a much larger botnet of far more powerful connected servers that could spread the attack further.

Once again we come back to the very real threat this kind of malware presents to the small- to medium-sized business who will very commonly use these kinds of free and open source tools to build up and maintain their online presence. While hackers continue to derive value and pleasure out of disrupting the lives of ordinary citizens and companies, the only option is to adopt strong password policies, two-factor authentication options (where they exist) and robust anti-virus and malware security software throughout the business.