Developing and executing the perfect marketing strategy for your company is difficult. We are happy to give you a helping hand.
A close-knit group of people who breathe the Tilburg atmosphere and have the ambition to always go a step further.
Dozens of government websites are susceptible to hacks, Trouw reported last month. Because what turns out? The administrators’ login page is publicly accessible, posing a security risk. A hack of the Hof van Twente municipality made that painfully clear.
What are government agencies doing wrong? Should WordPress be completely banned now? As WordPress specialists with a strong focus on digital security, we explain in clear words what happened and how to do better. You will discover that WordPress is still a safe and reliable choice for government agencies, provided the necessary best practices are followed.
WordPress is a content management system (CMS) originally designed for bloggers. It allowed them to easily and quickly share their experiences and thoughts with the world. This open-source CMS was constantly evolving, with additional features winning over new users. It didn’t take long for small businesses, medium-sized businesses and then multinationals to start using WordPress. Government agencies were not long behind.
Today, 40% of all websites on the Internet run on WordPress. Its scalability and multiple features make this CMS a versatile solution for all kinds of organizations. Government agencies are also increasingly choosing WordPress, and it’s understandable why.
For example, there is the role of writer. Allows someone to prepare posts but not publish them. Or the role of author. Who can publish his or her own posts, but cannot publish or modify those of others. The administrator can click all the options in the dashboard and add new users.
It is also easy with WordPress to create a whole network of identical or similar sites. This is ideal for institutions with multiple locations or offices, each of which wants its own site. WordPress Multisite allows you to manage it from a central dashboard with a single login.
WordPress is an open-source system. That open-source means that the source code is publicly available. Thousands of programmers from around the world check and verify code for vulnerabilities. This makes the chance of error extremely small.
According to Allegiance, the problem was in the publicly accessible administrator pages. By default for WordPress sites, these can be called up by typing /wp-admin after the domain.
But even though anyone can open such a login page, it does not mean that any random person can log in. You still need a username and password for that. What these hackers did is combine as many common usernames and passwords as possible, on good luck. That resulted in a volley at the Hof van Twente municipality, where officials with the weak password “Welkom2020” had access.
The article points us to a disturbing fact: that government websites are nowhere near utilizing WordPress’s capabilities. Couple this with an easy-to-guess password, and this CMS can (falsely) give the impression of being insecure.
Thus, a public login page allows malicious actors to test passwords. But by setting a limit on the number of attempts, creating a strong password and using two-factor authentication (2FA), no one can get in there. Optionally, you can still hide this admin page by choosing an alternate URL.
You can easily avoid many of the above if you know what you are doing. Of course, you can also outsource this to WordPress experts like those at 2manydots. Together, we keep uninvited guests out.