A high-level review of NFP website security
Recently there has been a number of high profile security breaches, including the breach of ANU systems and the breach of Westpac’s PayID system, that have severely impacted these large and prominent organisations. Whilst NFPs may not present as high-value targets compared to other organisations, there are still payments and sensitive personal details transacted and stored in these systems that are valuable to attackers and are important to protect.
As an NFP, trust is one of the key reasons your supporters engage with you, and it is important to do everything you can to protect your digital systems from intrusion.
Over the past month, our team has conducted a basic research project to understand the potential threat of attacks on NFP websites. From a sample size 399 sites, our team found ~50 sites with outdated software versions vulnerable to known hacks and intrusions. These sites were scanned using a combination of custom python scripts and the WP vulnerability tool wpscan v3.7.3. They were scanned at two intervals, once at the end of May 2019, and a second time near the end of June 2019. For each of the affected organisations, we have attempted to advise them privately to ensure that action is taken to secure their systems as quickly as possible.
Key findings
- 400 sites were scanned in May 2019
- 56 vulnerable sites were found – ~14% of the sample were found to have vulnerabilities
- Not scanned
- 218 non-WP sites found – these were not scanned for vulnerabilities
- 65 sites not scanned due to being down or not resolvable
- 31 sites not scanned due to redirects
- 6 sites returned 403, suggesting a WAF is already in place
- If you remove the not scanned results, that leaves 86 target sites. Of the 86 target sites, 65% had some kind of vulnerability.
- Whilst the vulnerabilities may not be immediately possible to exploit without admin permissions or other access, the ratio of sites that have exploits vs those that do not is alarmingly high.
- 399 sites were scanned in June 2019
- 57 vulnerable sites were found – ~14% of the full sample were found to have vulnerabilities
- Not scanned
- 208 non-WP sites found – these were not scanned for vulnerabilities
- 65 sites not scanned due to being down or not resolvable
- 31 sites not scanned due to redirects
- 6 sites returned 403, suggesting a WAF is already in place
- The number of vulnerabilities found overall is unexpectedly high, especially considering the scanning tool is specific to WordPress sites and is relatively basic.
- Over 90% of sites appeared both in May and June. This is significantly concerning – regular maintenance is not adequately performed on these sites. This means that vulnerabilities are not being reviewed or fixed.
- The vulnerabilities found were exploits that affected outdated plugins and themes. It’s really important to update not just core software but all plugins and add ons.
- Note that this research does not include any microsites or secondary properties where there may be other vulnerabilities.
- No brute force attacks on passwords were undertaken as part of the research project.
- Given the number of sites that were not scanned, it is worth looking at the use of another security scanning tool that is able to scan other CMS technologies to better understand the exposure more broadly across the industry.
Taking steps to protect your website
As immediate steps, if you are facing issues with your website or you know that it has out of date dependencies:
- Update your software immediately on your website.
- Install a web application firewall to prevent future scanning and to block common attacks.
These two steps alone stop the majority of automated attacks and will significantly reduce the weaknesses in your website.
It is recommended that you also consider a longer-term plan with regard to website security, including:
- Regular security monitoring of your website – to detect hacks if they do occur and be able to action quickly.
- Ensure that you have regular backups of your website in case there is a hack and can restore/rollback with minimal data loss and downtime.
- Commit to a regular cycle of updates, at least monthly.
- Ensure you have a strong password policy that is enforced. Ideally, you change your passwords on a semi-regular basis.
- Penetration testing – to scan for more advanced levels of weakness and potential points of entry.
Wrapping Up
Securing your site as an NFP is important as the potential ramifications far outweigh the cost of a well-regimented security program. There are some basic actions you can take quickly which put you significantly ahead of the market, and you need to have a regular plan to keep your site safe and up to date. Your supporters will thank you for it through their trust and continued engagement with your organisation.
This is not something you want to postpone! If you need help with protecting your website, contact us now!
