A Vulnerability in a Popular Program to Build and Host Websites Could Threaten Your Business

Understand the key steps to stay safe

Does your business use WordPress to build, manage, and maintain your website? If so, a recently discovered vulnerability could provide criminals with access to control and manipulate your website without your knowledge.

According to security researchers, criminals have created a backdoor in more than 90 WordPress themes and plugins allowing them to gain access and control your website from anywhere in the world. This kind of access provides criminals with the ability to trick your customers into clicking on malicious links putting their data and information at risk. Furthermore, once they gain control of your website, criminals can sell access to other criminals on the dark web.

Depending on how you use your website (i.e., collect sensitive personal or financial customer information), this vulnerability could lead to embarrassment, financial penalties, or worse. Therefore, you need to act now to determine if your website is affected. However, before you panic, remember WordPress is one of the world’s most popular website builders for businesses, so you’re not alone. The Cyber Readiness Institute (CRI), our members, and partners are committed to providing you with actionable and practical cyber readiness guidance.

Take the following steps to determine if it is possible for criminals to have access to control your website. You may need to involve your IT consultant, managed service provider or web-site developer. CRI offers a five-part series of guides on using outside firms to reduce your cybersecurity risks; you can review them here.

Specific Steps:

  1. Confirm whether you use WordPress to build, manage, and maintain your business website(s). Contact your website developer if you don’t know.
  2. The latest version of WordPress core was released on January 6, 2022, as a short-cycle security release. Because WordPress 5.8.3is a security release, we recommend that you update all your sites immediately.
  3. You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.
  4. If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.8.3.
  5. Contact WordPress Support to understand what additional steps you can take to protect your website and business data.

General Steps to become Cyber Ready

There are general steps your company should take to reduce your risk from similar vulnerabilities – and from ransomware and many other cybersecurity threats.

  1. Require your employees to use strong passwords (i.e., a 15-character passphrase)
  2. Train employees on phishing threats
  3. Turn on automatic software updates across business operations
  4. Prohibit use of unapproved USBs or Removable Media
  5. Back up all your critical business data and information

You can also access our free cybersecurity resources, training, and guides at BeCyberReady.com or by following us on Twitter, Facebook, LinkedIn, and YouTube.