Too Much Noise! Weeding Through Your Websites Security Reports
If you have any security plugin installed on your WordPress website (and you should), you probably receive some kind of security report in your inbox on a regular basis (and you should).
The problem I have is that if I receive too many reports or reports with too much information, I suffer from Alert Fatigue Syndrom (AFS).
(Don’t look that up on WebMD, I made it up.)
Isn’t too much information better than too little?
Not necessarily.
There are several dangers of having too many noisy security alerts. Here are a few:
- Alert fatigue: If I receive too many alerts, I may become desensitized and start ignoring them altogether. This can lead to important alerts being missed, which can have serious consequences.
- False positives: Noisy alerts can lead to a high rate of false positives, which are alerts that are triggered but turn out to be benign. This wastes my time.
- Missed threats: If I am inundated with alerts, I will probably miss real threats that are buried in the noise.
It’s important to carefully tune your security systems to minimize the number of noisy alerts while still ensuring that you are alerted to potential threats.
Security Report Examination
Let’s take a look at one security report and identify what it is telling us. I use iThemes Security Pro, but other plugins have similar reports.
Security Site Scan Report
I have the plugin on my personal genealogy website set to scan my website for “vulnerable software”, that is software that is known to have security holes of some kind.
Note that :
- it scans for vulnerabilities twice a day – this is a good thing, but with a warning
- it only sends a report if it finds an issue – YES!
Let’s look at a sample report I received for my website in December
The scan found two issues which is great. The report provides links to what the problem is, and what can be done. The explanation tends to be very technical, so I usually only worry about what I need to do.
WP <= 6.1.1 – Unauthenticated Blind SSRF via DNS Rebinding
Oh no, the first one is a vulnerability in WordPress itself! Danger, dang…not so fast – if we click on the link:
There is no Fix available? It turns out that the issue is complex to fix, and only occurs if OTHER plugins have issues, so the risk is low.
Basically, the alert is informational.
The problem is I get the alert on a regular basis now, and need to remember to ignore it WITHOUT ignoring whatever else might show up in the report.
This is noise, with all the associated risks I outlined above. However, I don’t want to turn off the report because it is very valuable, and I can’t just turn off that one message.
Caveat Emptor
Starter Templates by Kadence WP < 1.2.17 – Admin+ PHP Object Injection
The second alert tells me that there is an issue with a plugin that I use – Kadence WP Starter Templates.
Good to know, but… Don’t I have auto-update enabled for that plugin?
Oops, looks like I do not. That means I need to do it manually myself (or enable auto-update).
Thanks for letting me know, iThemes Security Pro!
OR…
Actually, in this specific case, I have a third option – delete the plugin!
I had installed that plugin to experiment and decided I didn’t need it on this website. It is always a good idea to remove plugins that you aren’t using. It improves performance and its one less plugin that can have a vulnerability.
So deactivate…
…and delete.
Summary
In this post, I have talked about the dangers of too much information and examined an iThemes Security Pro Scan report that showed two vulnerabilities.
In one case, I know it is important to keep my other plugins up to date because WordPress won’t be fixing it anytime soon.
In the other case, I realized I had a plugin installed that I didn’t need.
I hope this helps you in your efforts to keep your website safe and secure.
Image by wayhomestudio on Freepik
