At the end of his presentation, an attendee asked: Is it better to move away from WordPress websites entirely?
Since Grossman did not have time to answer this question, we will answer the question in this post.
But first, some context.
WordPress is an extremely popular open source content management system used worldwide for blogs. In fact, almost 40% of the Internet runs on WordPress.
SEE ALSO: Is WordPress HIPAA Compliant?
The problem with plugins
As Grossman explained, “Where WordPress gets a bad reputation has mostly to do with its plugins. The admin will install a plugin, could be one plugin out of thousands, millions. And a lot of times those plugins don’t get updated frequently. And it’s not exactly like they go through rigorous review.”
Another problem is many network scanners don’t scan for WordPress plugin vulnerabilities. “It’s a hole they have in their system,” he said.
Healthcare systems and WordPress
Grossman ran statistics on hospital networks in the US to see how many WordPress websites they run on average. He found that the median number is about 17. Health insurance companies average significantly more, about 70, “whether they realize it or not,” he noted.
Grossman’s data indicates that hospital networks have very few WordPress plugins, and most of those plugins are kept up to date. “The hospital networks do really good for some reason,” he observed.
However, this is not true for the health insurance industry, where the median number of WordPress vulnerabilities is 106. “So just think about all those companies, said Grossman. “They have about 70 WordPress sites, and they have [probably] about 100 . . . perhaps unknown WordPress vulnerabilities.”
In general, “a WordPress site tends to be really secure and well managed or really not well managed. There really is no in-between,” said Grossman. “It’s not an even distribution. There’s somebody taking care of that WordPress site and doing a good job, or there isn’t.”
How to use WordPress safely
According to Grossman, WordPress can be fairly secure—if you keep both WordPress and WordPress plugins updated.
He recommends checking for issues with WP Scan, a WordPress security scanner. WP Scan “fingerprints for the presence of a plugin,” he explained. It keeps a database of plugin vulnerabilities and detects if a user is running any of them.
Healthcare companies don’t necessarily have to move away from WordPress; they just need to keep the platform and all its plugins up to date and scan for vulnerabilities on a regular basis.
Adversaries aren’t trying to score style points to break in,” said Grossman. “They’re just gonna find a way in.”
To watch the full recording of Grossman’s presentation, visit Paubox’s YouTube channel.
To read a summary, visit this post: How to Prevent Security Vulnerabilities Before Hackers Exploit Them.