Reports that hackers have gained root-level access to the servers of WordPress.com mean that the popular blog publishing platform has joined the long list of companies whose portals have been hacked, but the fallout could have been a lot worse, had it not been for a sensible IT security approach at the company.
Although the hackers would have been able to download much of the source code on the servers, possibly including custom-developed code of premium clients of the company, WordPress appears to have followed best practice and encrypted the password files, as well as private information such as credit card details.
Media reports over the last day or so have played up the hack as if it is the end of the world for the blogging industry, when it plainly isn’t. By encrypting user credentials and associated data, WordPress has followed the advice of the IT security professionals.
Adopting a strategy of encrypting and locking down access to private and financially sensitive data is a best practice that a growing number of organisations are adopting, particularly now that the understanding of the insider threat is growing.
Where previously security defences have focused on preventing an external attack occurring, a growing number of IT professionals are realising the risk of an attack from inside the company, either from rogue members of staff or, has happened in this case, hackers have gained access and started rummaging around on the servers.
They are then adopting a modular strategy to deploying security systems, using technologies such as identity management, encryption and need-to-know access rights for sensitive files.
By encrypting the private and financially sensitive data on the servers, as well as user passwords, WordPress has limited the damage that has occurred.
It’s interesting to note that – almost certainly because of the fact that it has 18 million customers – WordPress has been the target of a number of hacker attacks. Back in 2009 the company hit by a series of malicious attacks and earlier this year suffered a massive distributed denial of service attack.
This time around, it looks as though the company has taken a sensible approach to security and reasoned that, even if hackers get through its external defences, as has clearly happened, they can limit the damage that has been done. Other high-profile organisations should take notice this planned defensive strategy.