So what exactly is Penetration Testing?
The deeper you get into web site security the more complicated it gets. Penetration testing is the skill of attacking a web site, system or network to identify vulnerabilities that might be exploited to gain access to the web site, its contents and to even access other web sites hosted on the same server.
In simple terms, we become the hacker in order to protect your web site.
Penetration testing typically is either performed with full knowledge of the system (‘white box’), to allow finding as many vulnerabilities as possible, or by simulating a real attack without any knowledge of the system (‘black box’).
Why do it?
So why should you get your web site tested regularly? If you have a simple blog site, with some holiday snaps on it, I doubt I would worry too much either. But if you are running a popular ecommerce or business-critical site that is hacked then not only will there be the inconvenience of downtime for an indetermintate time but under the revised GDPR regulations you may have to report data loss.
Its not a one time tick box exercise either. Regular penetration testing has key benefits:
- Software is changing all the time. New releases of Wordpress Plugins for example may introduce a vulnerability without you knowing.
- New exploits are being discovered all the time. Hackers don't wait for a new release to come out, they are actively working on new exploits all the time
- We proactievely find known vulnerabilities, especially important as your site evolves as does the underlying software
- We can also check the hosting environment, Windows Server, PHP, MySql, SQL and many other areas of the infrastructure
- Oh, that reminds me, do you have a backup of your web site and its contents? That's one of the first questions we ask, do you have a backup and what's the schedule?
Performing a penetration test and mitigating the vulnerabilities is so much easier than cleaning up a hacked site, if that's even possible!
Recommended Penetration Testing
To start with you can help yourself by keeping your WordPress site updated including the WordPress core, themes and plugins.
Ensure your passwords are sufficiently complex.
Ensure your site is backed up regulary.
For peace of mind we offer the following testing plans. The prices shown are indicative and will vary depending upon your particular environment.
Why not just use a free scanning website?
There are a few sites offering free Wordpress scans, albeit for a limited time, that are great for scanning Wordpress sites. While these can reveal vulnerabilities with your Wordpress theme or plugin they stop there. If you keep your core Wordpress, Themes and Plugins upto date the risk is already reduced and a free scan will probably just confirm as much. That's great for peace of mind. However Wordpress is only a small part of the web site hosting environment and a Wordpress scan is omly the tip of the iceberg.
We take it further and test the web hosting stack includkng the Webserver settings, MySQL/SQL injection, PHP, Crossite Scripting, session hijacking and more. A hacker will not stop at Wordpress, they go way deeper looking for the tiniest of cracks and that's all they need.