To get to a better place when it comes to the security of WordPress websites, as well as security more broadly, a critical element would be good security journalism. That isn’t happening. Take this clickbaity headline from The Register two days ago, “Swiss Re wants government bail out as cybercrime insurance costs spike”. Yet the beginning of the story disagreed with the headline:

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap.

The report from the reinsurer Swiss Re they were referencing put things somewhat differently:

Finally, there is also need and scope for new types of public-private risk sharing mechanisms. Public and private sector collaboration is key to mitigating cyber threats to critical infrastructure. A public-private partnership insurance scheme, where coverage of systemic risks is split between insurers and a government(s)-backed fund is one option to address part of the protection gap. Another would be to tap into the market foralternative capital, such as by developing a market for cyber-insurance-linked securities.

Security news outlets can do better. Infosecurity Magazine covered the same report with a story titled “Swiss Re: Cyber-Insurance Industry Must Reform”.

The report is an indirect reminder that cyber insurance isn’t what is needed at this point. Here is how the report explained why things are not going well right now:

The pace of technological change, the rising awareness of cyber risk and the adoption of cyber hygiene practices to keep data and networks secure, are not synchronised. Rather, it seems as if a legacy of outdated security protocols, IT systems and regulatory frameworks are only slowly catching up with technological realities. This opens the door to rogue actors seeking to exploit digital vulnerabilities for financial, reputational or geopolitical gain.

In reality, it isn’t that there is changing situation where businesses and others are slow in catching up; it is that long known best practices are still not being applied.

Take, for instance, a recent high-profile hacking of a WordPress website, the news outlet Fast Company. The hacker claimed they got control of the website because the administrator account for the website (and others) had its password set to “pizza123”. Not using a weak password like this isn’t a new concept, but that doesn’t mean that it is being avoided. It also doesn’t mean that a security journalist won’t blamed WordPress for someone else’s poor security.

Hacks, whether of average WordPress websites or high-profile hacks in the news, often are caused, at least in part, by outdated software with known vulnerabilities. Keeping software up to date also isn’t a new concept either.

The report suggests that a way to improve that situation is to provide lower-cost insurance in exchange for following best practices:

For insureds, the expenses of implementing required security measures to meet the baseline level of cyber hygiene can be more than offset by premium savings. The application and underwriting process can therefore motivate a business to focus on risk assessment, ultimately incentivising implementation of risk-based security measures to minimise insurance costs. Coverage encourages greater precaution and thus reduces the probability of loss.

The problem with that is that money being spent on cyber insurance is money that isn’t being spent on improving security, which there needs to be more of at this point.

It’s important to note that spending money on improving security isn’t the same thing as spending money on security products and services. Security products and services are often not very good at providing protection, if they provide any protection at all, so doing the basics is a better focus. Security products and services often introduced security issues of their own as well.

Where Spending Makes Sense for WordPress Websites

If you have a WordPress website where you have the ability to spend money to improve security beyond doing the basics, where does it make sense to spend it?

For a lower cost, spending it on a security solution that provides additional protection over the basics would make sense. The problem is that much of what is available doesn’t deliver that. Wordfence Premium being a prime example of that. So you would want to find something that has evidence, preferably from independent testing, that it provides effective protection.

For a higher cost, getting security reviews of WordPress plugins you use can provide you a real boost in protection. For example, a zero-day vulnerability found and exploited by hackers in a plugin from WordPress security provider iThemes would have been caught by a security review. As even security providers are not doing security reviews of their own plugins, it is likely plugins used on your website haven’t received a review. In the past, we have found security vulnerabilities in plugins from people and companies offering to do security reviews, so you would want to make sure to hire someone with proven experience doing reviews. Probably in the form of public results of previous reviews.