WordPress security for beginners

Mr. Tepken Vannkorn led the presentation “WordPress security for beginners” under the theme “Digital Security”, one of the main areas the Camp focused on.

31 participants attended his presentation, 11 of whom were women. Sitting in a circle format, the speaker introduced himself to the workshop as a full-stack WordPress developer. He has worked for the WordPress platform for almost ten years and has built website projects for various private companies and non-governmental organizations. He also has experience with Database Management Systems using WordPress.

WordPress is a popular platform for users to build their websites. It is highly customizable with numerous plugins and templates. However, WordPress websites – like virtually every other website – can be hacked and exploited in various ways. Hackers can access these websites using user names and login credentials and can also benefit from software vulnerabilities and poor third-party services integration utilizing the site and its hosting.

Vannkorn stated that, on average, 30,000 new websites are hacked daily. Using automated tools is one of the most common strategies attackers use to hack websites. Hackers do not hack systems themselves. Instead, they use computing tools to collect and steal data, acquire information, gain, and maintain access to the target website. This way, their attack can hardly be traced.

Hacking has become harder to notice. The speaker mentioned that it took an average of 228 days to identify a security or data breach in 2020. Vannkorn warned that WordPress accounts with weak security protocols are highly exposed to security threats. Cybersecurity threats have seen a sixfold increase since the start of the COVID-19 pandemic.

Hackers might attack WordPress websites because of many reasons ranging from fun, stealing traffic to help their websites, stealing information and data for decision making, to hacking a competitor’s website. Indirect hacking is another relevant concept. It happens when hackers access and exploit a website and set it as a staging point to bait the targeted group or individuals to visit the hacked website, said Vannkorn.

The speaker proposed numerous simple and straightforward solutions to strengthen and secure WordPress accounts and reduce the chances of being hacked. First, users should use a secure ecosystem with strong passwords and two-factor authentication and avoid default credentials. Additionally, Vannkorn recommended the audience choose only the themes and plugins that are available from the official WordPress website. He also suggested participants use a website called  “Exploit database”, which provides security information on exploited plugins, themes, and other related security breaches.

He also stressed the importance of removing unused and unnecessary themes and plugins since those can be a potential breach point for hackers. Another tip to strengthen WordPress’s security is to disable user registration if not necessary. Vannkorn also reminded WordPress owners to remove spam comments and use the latest version of PHP. Additional tips that the speaker offered during the workshop included backing up data and system configuration, disabling the theme editor, and avoiding poor and predictable usernames. All these security tips contributed to strengthening the digital identities of all participants in the session. Introducing additional safety measures to protect one’s identity online is always recommended. Given the political context in Cambodia, digital security has become essential since the implementation of the national internet gateway (NIG) will threaten virtually everyone’s activity in the digital sphere. With increased digital surveillance, being able to protect one’s digital identity will be an essential asset, especially for vulnerable individuals and groups like human rights activists.