WordPress is a popular target for hackers because every website has something to offer them, and the returns on attacks are high.

 

Hackers gain something from every WordPress site

 

WordPress is the most popular CMS in the world, and a popular target for hackers too. The scale of the problem may make it seem like the hacks occur randomly and for random reasons. In reality, every website has something to offer hackers. The exact nature of the payoff also depends on the intentions of the hackers.

 

Hackers can be grouped into three categories, depending on the purpose behind their attacks:

White-hat hackers usually test a website or a computer system for vulnerabilities. They do not have malicious intent, and disclose vulnerabilities responsibly.

In the WordPress community, white hat hackers are either a part of a web security team, or are developers within the community who contribute by discovering vulnerabilities and helping protect the community against such risks.

Hacktivists, (who are ‘activists’ acting by means of hacking) target websites mostly to bring awareness to socio-political issues, but the means they pursue for these ends are questionable. This is why it’s difficult to categorise what they do. Most of the time, hacktivists deface websites, or publish sensitive information.
Examples for hacktivist defacing websites range from  Anonymous’ hack of the Phillipine Comelec that asks questions, to the defacement of the ISIS website with ads for performance-enhancing drugs. Hacktivists could also publish sensitive information. Examples of such attacks include the  Panama Papers leak, and the hack of the  CIA  and FBI websites that released officers’ personal information and put them in danger.

Since the classification of what hacktivists have to gain, and the means they use to achieve their ends can fall in gray areas, we’re going to exclude hacktivism from this article.

Black-hat hackers, who hack websites indiscriminately, purely because of more ‘materialistic’ gains. They exploit vulnerabilities to their own ends. Any website can be targeted by these hackers, since they are not looking to test a specific system for vulnerabilities, nor do they want to further a socio-political agenda.

 

What Black-hat hackers can gain from hacking websites

Black-hat hackers could gain one of three things from hacking websites:

  • Reputation
  • Access to resources
  • Information

 

Reputation

In terms of technical know-how, and the scale of the reputation they seek, black-hat hackers could be ‘script kiddies’, or ‘experienced hackers’.

‘Script kiddies’ depend on tools to perform hacks. While the scale of the havoc they wreak can vary in degree, they usually hack websites to be accepted, or to gain reputation among their peers. They usually don’t have criminal intent. However, the more they learn, the more they could move towards higher levels of experience and reputation.

Garnering reputation among other black-hat hackers depends not only on the technical know-how they have, but also on the damage they have the ability to wreak independently. This is when/why they move away from readily-available tools, and craft malicious code of their own that can bypass usual security measures on websites.

‘Experienced’ hackers look to earn a more ‘professional’ kind of reputation. You might know that there are black markets for the sale of illegal goods, but there are similar establishments for cybercrime too. One such black market/forum, was Darkode. Hackers have profiles on these websites and are ranked. These hackers look to earn higher ranks so that their ‘customers’ will pay more for their services, and their work will be recognized more.

How high a hacker’s rank is, on cybercrime forums, depends on:

  • The number of sites they’ve hacked.
  • How proficient they’ve been (the difficulty of the hack).
  • The reputation of the sites they’ve hacked.
  • How satisfied their customers are with their ‘service’.

In short, even if  your website has great security, it’s better for them: they get a better ranking if they succeed in hacking your site.

For example, if your site had tight security, and a hacker successfully retrieve contact information of all your customers, they only garner reputation and have no use for the information afterward. They could go ahead and publish it on the cybercrime forum so other hackers could use the information to send spam mail to your users, send them downloadable malicious code, or send them mails crafted for phishing.

 

Access to resources

The resources on your WordPress site include your site’s database, the server it’s hosted on, as well as the users and visitors to your site. Black hat hackers hack your website in order to gain access to these resources. Attackers have a number of ways that they could exploit your site’s resources:

  • They could plant malicious code on your site to do anything they need to do, without the action getting traced back to them. An example of this would be that of hackers planting malicious code on your server to send their spam mail to your site’s visitors. This would not only get your server blacklisted by mail servers, but also could lead to your WordPress site getting blacklisted by search engines (since it has malware).
  • They could use your site to perform Black Hat SEO practices that allow them to hijack your site’s traffic and redirect it to their own websites, or their customers’ websites. A common type of attack on WordPress sites that uses this technique is the WordPress Pharma hack.)
  • They might use malicious code on your site to trick the visitors of your site into downloading malicious software to their computers.
  • Cross-site scripting attacks  could be used to steal cookies from your site’s visitors and use their credentials.
  • They could use your server as a bot in a DDoS attack.
  • They could manipulate your site to trick users into entering sensitive information that could be used for phishing.
  • They could use ‘ransomware’, which is malicious software that doesn’t allow you access to your resources, your website, or important files on your website unless you pay up. Ransomware keeps popping up in tech news because of technology’s progression into the Internet of things (smart home appliances that can be connected to the internet). In the context of websites, ransomware could be used to either lock you out of your site, or encrypt all the data on your website until you meet the hacker’s demands. If you don’t give in to the hacker’s demands, they could keep all the data from your WordPress site to themselves until you do, or worse, delete it all. The only sensible way to protect yourself from such an attack, is to have a reliable WordPress backup solution that has updated backups of your site.

 

Information

As any website owner knows, information is probably the most important thing on a website. From your site’s data to your visitor’s data, all of the information on your website is unique to you, and is hence valuable.

Hackers could hack your site to retrieve information that belongs to your site’s visitors, such as their personal information(which includes contact information, photos, medical records and other information about their identity), or financial information.

Hackers could use this information in the following ways:

  • They could use it for their own purposes (such as to send spam mail). Sending spam mail from your website’s server could get it blacklisted by search engines, and other mail servers.
  • They could publish sensitive information from your site.
  • They could sell it to others looking for this kind of information.
  • They could also retrieve confidential information from your WordPress site (such as information about your investors), and ask you to pay a ransom to make sure it isn’t published, or sold.

 

Publishing sensitive information

Sensitive information on your website doesn’t have to just be related to the financial information … it could be anything that is specific to just your site, such as the personal information of your site’s users (like their email addresses), that could be used in line with malicious intent (to fulfill a job request, to damage the reputation of the company whose information they publish, to help other hackers send spam).

For example, a hacker could publish your users’ email addresses, to ruin your establishment’s reputation and the trust your customers have in you.

 

Selling sensitive information online

This is another dangerous way hackers target the information on your site.

While some hackers sell personal information of celebrities online (like in the case of Pippa Middleton’s iCloud photos that the hacker attempted to sell), in the past few years, a number of medical websites have been targeted.

This is because social security numbers, medical and healthcare information could prove to be more valuable in terms of identity theft than even financial credentials.

Hackers who sell financial information are in a race against time; they only get the best price for their hard work as long as the credentials are recent, and valid. If the people whose information was stolen, blocked their cards or switched banks, they don’t get paid. However, with identity-theft, the validity of the crime is much longer; and the payoffs for the buyer is considerably higher.

The parties that buy this information could use it to:

  • Create online loan applications
  • Create applications online for credit cards
  • Apply for prescription drugs
  • Create fake IDs

This poses a serious risk for any website, but especially for those that store any sort of user-information.

 

With reasons/aims like these, it’s no wonder that hackers continue to do what they do. They know that there is no such thing as a secure website, so any website can be hacked, and used to any end. The returns for them on hacking websites is high. This is why hackers who seek to obtain information or access to resources on your site make sure to keep their tracks hidden. They do this in order to utilise your site for as long as they can, and make sure to leave backdoors in inconspicuous file so that they can always gain access back to your site.

This is why the best way to stay safe is to have a solid disaster recovery plan in place. The prime element in such a plan, would definitely be a WordPress backup solution like BlogVault that is truly reliable, and an intelligent malware scanner+cleaner, like MalCare, that leaves no malicious code behind.

 

WordPress has become the most preferred content publishing platform online, and its popularity is continuously growing. For hackers, this means a bigger target with greater payoffs. Are you, as a WordPress site owner committing basic security mistakes that make it easier for them?

 

Common mistakes Website owners make

 

WordPress is the most popular platform to build websites on, and its popularity has only been growing. The CMS has something to offer anyone who has ever wanted to own a website. The WordPress community is supportive, and consists of developers who can build anything in code as well as code-averse site-owners who are given a world of add-ons to make their sites extensible, and more functional.

 

However, maintaining a WordPress site comes with a number of caveats, which are difficult to navigate. The case is worse for new site-owners, since committing a small mistake could knock their site offline, or make it vulnerable to hackers’ attacks.

 

Knowing the common mistakes made, and avoiding them, is key to keeping your WordPress site safer. This is why we’ve come up with a list of the basic security mistakes that WordPress site owners and users make. Are you making any of these mistakes currently?

 

1. Not updating WordPress and its add-ons

Now while the rest of our list talks about mistakes to definitely avoid committing, this issue is a little more complicated. This is why we’ve chosen to get this out of the way right in the beginning.

Everybody talks about keeping WordPress Core and add-ons (themes and plugins) up-to-date, for the sake of security, as well as to add new features to the site. However, you as a WordPress site owner, have one good reason for not doing so– incompatibility.

Your WordPress site could break because of:

Updating WordPress Core

There are two kinds of updates on WordPress Core that keep it up-to-date with the best features, and security measures on the web.

  • Major updates (like 4.5 or 4.6): These add new features and functionality to WordPress.
  • Minor releases like Release 4.5.1 and 4.5.2: These are dedicated to security patches, and bug fixes.

There are a couple of catches with these releases. For one, it can be cumbersome to keep up to date with all of them. Version 4.5, for example, was released on April 12, while 4.5.1 was released 14 days later, and 4.5.2 was released about 10 days after 4.5.1. Secondly, while WordPress Core upgrades are designed to be compatible with all the previous versions; (even the first one), it doesn’t always work out that way. So when WordPress site owners update their WordPress core, their site crashes.

Updating WordPress add-ons (plugins, themes, and widgets)

There a number of problems you could run into while updating WordPress add-ons. Since the developers could be pressed for time or not have the expertise, they can’t make sure that their updates are compatible with every single version of WordPress. As a result, they could be incompatible with previous updates of WordPress Core. Moreover, even add-ons that are coded to be backward compatible might not be developed with other add-ons in mind. Lastly, add-ons’ updates contain significant security patches and bug fixes, which change the way they work and hence cause conflicts. One example of this was the security patch for RevSlider (a premium carousel plugin), that changed the way the plugin worked.

As a result, updating even just one plugins could cause your site to break. If compatibility issues between WordPress Core and an add-on are a concern, the safest route to take, would be to ask the plugin developer to release an update for the plugin, while also looking for alternatives that work with your other add-ons.

The key to keeping your WordPress site secure, is to update every part of your WordPress site. The consequences to your site, its data, and your site’s visitors are all too great to not update.

 

2. Buying/using bad add-ons

As mentioned, WordPress add-ons don’t necessarily have the stringent code quality or security measures in place that WordPress Core does.This is why it’s important for WordPress users and site owners to pay attention to pick a good theme/plugin. Every good add-on has one basic characteristic– it has has good code. But even if you don’t know how to judge the code of a theme/plugin, there are a few characteristics which you spot:

  1. They’re available via a reputed source: This means they’re on the WordPress.org repository, or with well-known theme/plugin seller, like Themeforest, Elegant themes, etc. Just as with material goods, buyers should be wary of a premium theme being available on a questionable website at a huge discount.
  2. They have good reviews and ratings from genuine, long-time users.
  3. They’ve stood the test of time: The longer a theme or plugin has been available, the more bug fixes and security updates they should have.
  4. They get updated often and have been recently updated (in the past 2 months) from the developer’s side

Installing a bad theme/plugin could have a number of consequences for your site, whether in a way that affects function (such as slowing down your site), or in a malicious way, such as sending spam mail on your site’s behalf. Apart from all this, having an add-on with malicious code on your site causes search engines to mark your site as malicious, and hence blacklisted.

 

3. Using bad login practices

There are a number of simple login mistakes that WordPress site owners make, from sticking with easy to guess credentials, to staying logged in on their sites. This makes it easier for hackers, who usually use bots (just like search engine crawler bots), to look for websites with vulnerabilities.

Sticking with the default username (admin) reduces the time bots need to crack your login credentials, by 50%. Combining that with the use of a weak password only makes attacks on the login page (like a Brute Force attack, or a Dictionary attack) that much easier. Once the bots crack your login credentials, the hacker can login as you, and legitimately perform admin-level functions. This is why it’s important to enforce good login practices, and secure your WordPress login page. A couple of other simple ways (and there are more ways) to protect your login page are renaming the administrator account to reflect a different username. WordPress site owners have to look out for legitimate ways to harden their login page though– some widely recommended practices such as  moving your login page to a custom URL, are unnecessary, and can ruin your site’s user experience.

 

4. Making every contributor to the site an ‘administrator’

WordPress sites have different system users with different levels of access, in order to give the site owner the power to assign responsibilities to different users. This also serves as a way to give those with fewer responsibilities, the access to only specific areas they need access to. This principle (known as the Principle of Least Privilege), is one of the basic elements of security on any system.

WordPress has five different user roles:

  1. Super admin or Admin: Has full control over add-ons, content, files, and users on the site. (Super admin is someone who has Admin access over multiple sites, and controls the network administration for those sites too).
  2. Editor: Has full control over content and files, can publish anyone’s content, and is allowed to add script tags for formatting.
  3. Author: Can only create, modify, publish and delete their content.
  4. Contributor: Can only read, edit and delete content. No publication rights.
  5. Subscriber: Can only read content. No other rights

So say you run a successful news website or a blog with a regular guest blogger contributing once a month… You would best assign the guest blogger the role of  ‘Contributor’ or ‘Author’.

Assigning the ‘Admin’ role instead, however, will put your WordPress site at a greater risk. Just imagine what would happen if they deleted a post by another author, a plugin or even an Editor by mistake!

Giving users unrestricted access could also allow hackers to exploit your site more easily. A good example of this kind of damage, was how TechCrunch got hacked by OurMine, a commercial security group that hacks accounts to publicize their services. The site was hacked using one of its contributors’ accounts.

 

5. Being a hoarder

Keeping old add-ons and users presents a number of opportunities to hackers. As a site-owner, it is only natural to experiment with plugins and themes. In the process though, it is easy to forget about unused add-ons in your site’s repository. However, since you no longer use them, you also don’t update them. This opens up your site to a number of exploits.

Forgetting to delete old users (especially contributors) long after they’re gone, allows hackers access your site legitimately after a previous hack (like a Brute Force attack). This is one of the ways WordPress site owners are hacked for a long time without even knowing about it.

 

6. Not checking past uploads

Similar to hoarding add-ons and users, WordPress site owners also fall in the trap of never cleaning out their Media Library, the uploads folder, or the includes folder.

Hackers know this too. This is why they could easily upload a hack-file that looks like an image, and execute a hack later. This is how a number of exploits on the TimThumb vulnerability were carried out.

This method could also be used to create a backdoor. So even if malicious code is removed, and the WordPress site is kept up to date, it will still be susceptible to hacks.

 

7. Not having a reliable backup solution to depend on

Having a backup solution for your WordPress site is paramount to security. Not only does having a clean backup of your WordPress site make it easier to restore your site in case of a hack or blacklisting, it also allows you to scan your site’s code for irregularities and fire-fight more efficiently. However, most WordPress site owners don’t realize that the solutions they’re relying on are not dependable, until it’s too late. Backups must be the perfect disaster recovery solution, so they should be fool-proof, and adhere to the best WordPress security practices. Not only should they be independent of the WordPress hosting service, but they should be independent of your site, be stored in multiple locations, and have both: WordPress files and database encrypted and backed up.

If your site encounters a problem caused by anything as disastrous as your hosting provider being hacked to the deletion of files, not having a good backup plan would lead to your site experiencing a long downtime or worse.

 

The mistakes listed in this article are basic, and yet widely committed by WordPress site owners. Keeping your WordPress site secure lies not in being sure of impenetrability (because there is no such thing as a perfectly secure site), but in making it harder for hackers to achieve their target.

 

If you commit, or have committed any of these simple mistakes in the past, the best way to ensure that there is no malicious code on your site, would be to invest in an intelligent auto hack cleaner for WordPress sites, like MalCare.

 

7 steps to secure your wordpress site WordPress is a robust blogging and CMS platform powering over 70 million websites – from single blogs to large corporate portals. However, with growing popularity comes growing woes. Web-based malicious attacks have gone up by 81% in 2010-2011 and since WordPress is a popular platform it gets its fair share of attacks.

We, at blogVault, have faced several instances wherein our clients’ websites have faced vulnerabilities such as Link Injection (SQL injection, shared folders), blackhole exploits, Javascript and PHP code injections to name a few. As a user of WordPress how do you protect your site against these exploits?

Here are few house keeping steps to get to started…

1. Update! Update! Update!

Most of the common hacks/injections happen because of outdated WP or plugin. WordPress has a very strong community and as soon as a vulnerability is detected, it gets plugged. No excuses for not updating!

2. Delete the ‘admin’ account – Make it harder for the hackers!

WordPress lets you give administrator access to other user accounts. So, instead of using ‘admin’ username use some other unique username.

3. Check your file and folder permissions

File permissions set to 777 are a red carpet welcome for hackers to set up base on your website! A good rule of thumb is to set files to 644 and folders to 755.

4. Hide your wp-config.php

This is another file which is most vulnerable to attacks and by default will be located at your_host/wordpress/wp-config.php. You can move it to the root directory i.e your_host/wp-config.php because WordPress automatically checks the root directory for this file if it doesn’t find it at the default location.

5. Use trusted sources for themes and plugins

Beware of pirated themes and plugins, they usually contain malware or spam bots which at best will hamper your site performance and worst case – steal critical information and spread viruses to its users.

6. Connect to your server securely

Use sFTP or SSH instead of FTP. Use SSL whenever possible. HTTPS is most preferred and secure way of transacting online.

7. Backup regularly

I suggest using a premium backup solution who will take secure and periodic backups of your site, and also gives you the option to switch hosts (migrate) efficiently and in a matter of minutes, if your site gets compromised. blogVault is one such host and we have plans starting for as low as $9/month.

As the old adage goes, prevention is better than cure. Secure your website and protect yourself from these attacks.