Is our current crop of Presidential candidates even capable of keeping their own websites safe from attacks? It appears, maybe not so much! So, if they can’t keep a website safe, well…
Seriously though, this is not a political article, but rather an interesting take on how well the candidates tech teams are able to lock down their own website security.
As those who follow my blog may know, I have been talking a lot recently about the brute force attacks on WordPress websites worldwide over the past few weeks, so when I ran across a few articles on the subject of candidates’ website security, I thought it was pretty interesting.
Several people in the web security community decided to take on some of the Presidential candidates websites and see how they fared at protecting themselves. They found that many of the candidate’s websites were easy to hack.
Of the 21 candidates sites tested, 11 were using WordPress. That would be more than 50 percent! See I told you WordPress is powering a huge portion of the internet, apparently even Presidential candidates.
After testing their sites, Quigley came to the following conclusions:
Allowing website visitors to enter payment information on insecure pages is not considered safe. By not having more secure pages for this the candidates are doing their monetary supporters a big disfavor.
Running on HTTPS
16 out of 21 candidates were redirecting to HTTPS, a protocol for secure communication over computer networks which is widely used on the internet, which is great.
Only Rick Santorum, Pataki, Lindsey Graham, Gilmore and Lincoln Chafee were not. I am personally pretty surprised myself that, as common and easy to implement as HTTPS is, all of the candidates were not using it.
Donald Trump, Ted Cruz, Rand Paul and Marco Rubio all had sites that supported IPv6 (Internet Protocol version 6), the most recent version of the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. But, they were the only ones.
It’s actually surprising to me that more of the candidates weren’t using IPv6. Because some of them were using Cloudflare (see next paragraph), which includes this for free!
Using a CDN (Content Delivery Network)
Interesting to note, CloudFlare gives you both IPv6 and HTTPS, for free, but only four candidates tech staffs bothered to turn it on. ***SLAPS FOREHEAD***
Three out of 21 sites were using HSTS, a web security policy mechanism which helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking, but only Cruz had it on in a consistent way.
Although Quigley did disclose that he is a Sanders supporter, he was quick to point out how impressed he was with the support staff of the four Republican candidates that had IPv6 enabled, and the fact that they obviously had good knowledgable tech people on their teams.
Which of the Major Candidates Are Vulnerable to Hacking?
Jonathan Lampe, a Product Manager at InfoSec Institute, also did a series of test to determine which top 5 Presidential candidates were most likely to have their websites hacked. His report was interesting reading for me, although probably more technical than most of you care to read.
Of the major candidates, he dubbed Ben Carson the winner in this one, followed by Trump and Hillary Clinton, then Bush and Sanders.
According to his report, Carson scored well because he outsourced donations and volunteer services and offered no store on site. This basically meant there was simply a smaller amount of area for potential attacks to target. Carson received a cybersecurity grade of “A.”
Trump scored a “B.” Like Carson, he outsources donation services, however his site was only a partially secured WordPress site that exposed the sign on page and leaked some other information. Lampe also felt that his site may be using some older software and not updating some plugins.
Clinton also received a “B” grade because she had a larger site, with more areas vulnerable to attack, and it appeared to be running on a quickly-built custom application. However, she was running up-to-date software and building a security team.
Sanders and Bush both received a “C” grade because, while they also outsourced donation services, both had an unsecured WordPress site that exposed usernames and sign on pages.
Unsecure User Names
Lampe was able to find website user names for both candidates fairly easily and lists them in his report. He felt this left them both open to hackers for the harvesting of usernames and identities of authorized website administrators and contributors.
This, combined with leaving their sign on pages unsecured, makes them a much easier target for a “brute force” attack, like the ones that have been plaguing the internet these past few weeks.
Both John Kasich and Gilmore still had the default “admin” username attached to their sites. ***ANOTHER FOREHEAD SLAP*** Basic WP Security 101 tells you that this is the FIRST thing you fix after a new WordPress install. What are their tech people thinking?
Wisely Using WordFence Security
While Trump came the closest of the major candidates to earn an “A” (he got a B+), Lampe only gave one candidate that grade (and it was really an A-). This was Webb. He stated that Webb’s site resisted his probes and required HTTPS. It was also using a WordPress plugin called WordFence, which is designed to secure WordPress websites from the type of activity he was doing.
WordFence is the security program that I use on all of my WordPress website builds and with my security and maintenance packages, and one of the very first things that gets installed when I start a job for a client. I love it and it hasn’t failed me yet. Of course, it’s not fool-proof, nothing is, but it does a very good job at security.
I kind of enjoyed reading about these two things — politics and website security, but I am geeky that way and like both topics very much — so I thought I would share this info with my readers, in case anyone else wanted to see how their favorite candidate’s website fared. 😉
- 10 Tips for Designing an ADA Compliant Website - April 30, 2020
- COVID-19 & Your Website: What Should You Do? - March 22, 2020
- SEO SPAM = SEO SCAM: Don’t Fall Victim to Unscrupulous Snake-Oil SEO Offers - March 5, 2020