WordPress Security Flaws in 400 NHS Websites Leave them Vulnerable to Attack

Posted by on Mar 25, 2014 in Business, Computer Security, Uncategorized, Web Development and SEO | 0 comments

According to a recent survey, WordPress is currently used on 20% of websites on the internet, and the NHS are clearly an avid user, even if their websites are not being properly managed. In a recent article in Computer Active, it has been announced that an independent security researcher Terence Eden has discovered that there are around 400 NHS websites were vulnerable to attack putting their data and their customers at risk to malware and viral infection.

Terence likened the situation to someone ‘walking past a house and seeing a wide open window…An attacker could use the site to host viruses – or automatically redirect users to convincing-looking fake sites. An attacker could also change the site to look like the NHS is endorsing and selling dodgy pills and potions,’ Eden explained.

Eden said that bugs on old versions of WordPress could also let criminals steal passwords and other personal information, which in turn could compromise the integrity of the NHS.

‘If people are not able to trust the information present on their local hospital’s website, they are less likely to trust the NHS.’

The last thing a visitor needs when visiting the NHS is to pick up another infection! Due to it’s popularity, WordPress websites are constantly under attack from hackers, and a standard install is prone to attack from many vectors. GiraffeDog build WordPress websites that are secure, and proactive in defending themselves from attack. You should also ensure that they are kept up to date with a monthly maintenance plan.

 What can organisations like the NHS do to improve WordPress security?

Running a WordPress website is like owning a car, you need to service it regularly – keep risks to a minimum

The WordPress security issues that the NHS are experiencing just come down to the fact that their websites are not being managed correctly, or have been built by a third party developer and simply forgotten about. With cutbacks, and lack of training, it is understandable that there are websites out there that have been neglected. We would recommend that you organise a weekly maintenance schedule to keep your WordPress website up to date and secure. This is the same regardless of what content management system:

Make sure you have a tested WordPress backup running

Don’t just assume that it’ll work. Disaster recovery (DR) test it so you can sleep at night! That way if anything does happen, you can at least roll back to a previous copy.

Upgraded to the latest version of WordPress

WordPress had some huge updates to it in 2013, they didn’t just change the way the admin panel works, they fixed some serious WordPress security holes too. The latest version at time of writing this post is WordPress 3.8.1. Don’t forget to check your plugins support any new version, before upgrading your WordPress website.

Harden your WordPress website

Make sure you’re not just running an out of the box version of WordPress, and add tried and tested security plugins to limit access. You also need to make sure that the username admin is NEVER used! Look out for TimThumb vulnerability exploits on older themes! A lot of attacks on your WordPress website will be based on known exploits.

Upgraded all WordPress plugins and WordPress widgets

Delete any that you don’t use any more. The more plugins you’re using, the more you are relying on third party providers to keep your site up to date.

Keep your WordPress theme up-to-date

Many organisations rely on the development of third party themes, you need to ensure that they have been upgraded to their latest versions. Use a child theme to make sure you dont have to re-edit any parts that you’ve tweaked. If you’ve had a custom theme built, then you need to understand that it too needs to be kept up to date. Remove any other themes you’re not using, incase there are vulnerabilities in them.

Get the best managed WordPress hosting

Make sure your hosting company can support WordPress and understands it’s requirements when it comes to WordPress security, maintenance and support

Managed WordPress Hosting

GiraffeDog provide reliable managed WordPress hosting, which allows you to get on with the job at hand, looking after your business. We make sure all your plugins, themes, codebase and core updates are updated with regularl reports run for our clients.
Are you looking for a new WordPress hosting provider? Our managed WordPress hosting packages start from £29.99 + VAT per month. We will even migrate your data from your current supplier. Why not contact us to find out more?


Comments are closed.