I Don’t Even Have a Lot of Visitors Yet — Why Would Someone Hack My WordPress Site?
- Theft / espionage
- Computing power
These individuals are not targeting your WordPress website – your site is just one of thousands they probe for vulnerabilities.
In the mindset of a hacker, this is strictly a numbers game, and someday your site’s URL number just comes up — it is not personal.
In WPATX meet-ups I have demonstrated some of the of the ways a hacker finds vulnerabilities in WordPress websites. I will not include that information here because all I want to do is illustrate the no one is immune, and every WordPress site can have a vulnerability — not teach you, or others how to hack.
Most often hacking is a crime of opportunity – like an open gate or unlocked car door.
In general, the hacking process involves three steps:
1. Find a point of entry
2. Compare the website/server information to know vulnerabilities
3. Have fun
The hacker doesn’t even have to know what he or she is doing.
There are many programs that can be found on hacker sites that go through this process automatically.
These are popular with novice, juvenile, or dilettante hackers. Because they often don’t require any sophisticated understanding to operate, the people who use them are held in very low regard by the “real” hacker community, and are referred to by the derogatory term “script kiddies.”
That does not mean that a persistent Script Kiddie can’t do some very real damage to your WordPress website.
Demo Video Link
How Do Hackers Get Access Your Site
Types of Attack Strategies
- Password attacks
- Software vulnerabilities
- Social Engineering
- Shoulder surfing
Links From Live Demo
- 1000 Most Common Passwords List:
Here are some interesting facts gleaned from my most recent data:
- 0.5% of users have the password — “password”;
- 0.4% have the passwords password or 123456;
- 0.9% have the passwords password, 123456 or 12345678;
- 1.6% have a password from the top 10 passwords
- 4.4% have a password from the top 100 passwords
- 9.7% have a password from the top 500 passwords
- 13.2% have a password from the top 1,000 passwords
- 30% have a password from the top 10,000 passwords
This month we noticed a very interesting variant of this infection. While still related to the same vulnerability on the same outdated versions of Newspaper and Newsmag themes, the malware has been designed to both inject malvertising and take over a WordPress website completely. At the moment, PublicWWW service reports over a thousand sites infected with this latest version of the malware.
WordPress Update – 4.9.7 Security & Maintenance Release
Security Risk: Dangerous
Exploitation Level: Moderately Difficult/Remote
DREAD Score: 6.8/10
Vulnerability: Arbitrary File Deletion
Patched Version: 4.9.7
Included in this release is a patch that protects against a vulnerability allowing bad actors to delete files from your site. If certain circumstances are met, this vulnerability may be enough for an attacker to completely take control of your website.
Google and Facebook Used in Phishing Campaigns
Why Attackers Use URL Shorteners
Hackers are known to use URL shortening services to obfuscate their real landing pages. It’s very effective on social networks. Some hackers think that using URL shorteners in site injections makes it less likely to be flagged.
Here are other reasons why shortened URLs are used:
- they may not scare the victims as much as long URLs that look odd and not reliable;
- they give the victim a sense of validity; especially in this case, since it is a Google service, people think it is probably safe;
- hackers tend to use tracking tools, such as the ones available in bit.ly, to see if their malicious campaigns were successful;
- hackers use additional tools to create their spam campaigns that shorten links automatically.
Live Demo Links
Fake Content was Obfuscating Malware
After removing all of the functions and commented lines that were not being used elsewhere in the file, the number of functions was reduced from 12 to just 7 and code lines were reduced from 336 to 86!
Only ¼ of the code was actually vital malware code, the rest was just fake content. This was a clever way to obfuscate the file and make it appear more legitimate.
Piece by piece, I started putting together the real purpose of these functions. Despite getting rid of the fake content, it was still not clear exactly what they did. It turns out that some of the functions were used simply to obfuscate some function names and their parameters.
This malware was loading the content of an “image” file and executing its content – exactly the result of the behavioral analysis.
Summary of WordPress Security
These were the technical measures to secure your WordPress. However, there are a few more points you should remember and follow.
1. Host your WordPress website with a renowned and reliable hosting service provider.
2. Backup all your WordPress files and database regularly… probably at the end of every day.
3. Delete all unwanted and outdated plugins. They act as easy vulnerabilities.
4. If you install a free theme from the Internet, review and scan all the theme files for suspected loopholes, malicious code or suspicious links.
5. Use strong passwords everywhere.
6. While adding new users, allocate suitable roles and capabilities with the minimum required permissions.
7. Monitoring of your WordPress website helps keep a track of activities.
Choose difficult passwords for your WordPress admin and other users, and change them regularly
Blog as an editor, not as an administrator of your site.
- If you log in to WordPress anywhere someone could be “watching,” it’s best to usually log in as someone other than the administrator.
- Most people have probably heard that random “free wifi” that’s publicly accessible may have been set up by a hacker. But places vulnerable to hackers include public wifi like at a coffee house or even your own wifi if you live or work somewhere that others can “see” that you have wifi available.
- Every time you log in as admin in a vulnerable location is an opportunity for someone to scrape your password.
Install the latest version of WordPress and keep it updated.
- Basic, I know. But it doesn’t hurt to be reminded. If you usually write posts on your site as “editor” or another user, don’t forget to log-in as administrator on a regular schedule and check for updates.
- Plugins are even more likely to have security cracks that the main WordPress install. Be sure to update them.
- If you installed your plugin from the WordPress Plugins Directory then WordPress will keep the admin user up to date on available updates.
- If you purchase any premium plugins, you may need to check for updates back at the developer’s site.
- If you deactivate a plugin, then delete it.
Maintain your site, or hire someone to maintain it for you.
- When software is improved or security issues are discovered, new versions of WordPress and plugins will be released and someone will have to update them on your site. This is called maintenance of your site.
- If you set up your site, then the maintenance person is you. If you hired someone to make your site, check and see if you can hire them for maintenance. If you don’t have a maintenance agreement with them, you’ll either need to do it yourself or hire someone else to do it.
Live Demo Links
Updates can still fail:
Backup your Site on a Regular Schedule
I use Updraft Plus Backup and Restoration Plugin, available through your WordPress Plugin dashboard. There are also some very good paid options.
Live Demo Links
Install a basic security plugin
Free plugins, available from the WordPress Plugins Directory include:
- Sucuri Security – Auditing
- Anti-Malware Security and Brute-Force Firewall
- iThemes Security
- Wordfence Security
They all have paid pro versions available if you need more security.
If you want to use free themes or plugins, only use ones approved by WordPress and available to you through your WordPress dashboard.
There’s a ton of free stuff out there, and most of it is by good, honest software writers who just want to share their work.
Anyone can write a plugin or a free theme, so quality varies.
If you know enough basic code and can check it, then it’s a great resource.
It’s easy for hackers to install malware or vulnerabilities in free themes and plugins, so if you don’t know PHP or CSS code it’s best to stick with themes and plugins approved by WordPress.
If you buy themes or plugins, stick to well-known names.
Well-known developers include StudioPress – they make Genesis which I’m working on installing – and iThemes. Again, don’t forget to check on updates regularly if they aren’t available from your WordPress dashboard.
If you’re not on a monthly security plan, manually scan your site for malware at a trusted site like https://sitecheck.sucuri.net/on a regular schedule.
Change the WordPress default database prefix when you install WordPress.
Now, this was not something that made it onto the developer’s list; it was something I ran across in my searches and asked about. It’s so basic that the developer didn’t think to include it in his presentation. That’s part of the disconnect between developers and people new to WordPress or coding; there are things that are just so basic to a developer that they don’t think anyone needs to be told again.
You can read more about why you would want to change your database prefix, what a database prefix is, and how a hacker would exploit it at the post Is WordPress More Secure with a Changed Database Prefix?
Here’s the roadblock I ran into in my research – the best time to do this is during your install. But it’s so basic to the install, that all the developers writing about this assume that you know how to do it, and all they’re writing about is how to change the prefix on a site that’s already running, like in the post How to Change the WordPress Database Prefix to Improve Security.
When I first asked about this at the MeetUp, Nick very patiently explained where to find the box to do this on my install, after I entered my admin name and password. Yeah. Sounds pretty basic, I know. But here’s the thing. As we discussed it more and we looked around a little on the web, we discovered that if you use the one-button WordPress install available on your host, the option might not be there! So when I did my one button install this last time for a test site, I probably didn’t see a place to change the WordPress database prefix. Developers who teach courses like this aren’t using the one-button install, so they don’t know the option has disappeared.
Somewhere in the recesses of my memory, I seem to remember that this option might have been there when I did my first WordPress install a year or two ago, and I think my techie teenager instructed me to change it. So, I’m off to hunt around for a way to install WordPress that this option still exists! And hopefully, I’ll get done with all this research soon and manage to get up my new sites.
MAKE SURE YOUR MEMBERSHIP REGISTRATION IS TURNED OFF
Another thing I just learned: after your WordPress install, on your Dashboard > Settings > Membership – make sure “Anyone can register” is NOT checked.
* How do you know if you’ve been hacked? Signs to look for that you’ve been hacked include a new user showing up in your dashboard that you didn’t add, and SPAM ads appearing on your site. For more information and steps to take if you have been hacked, check out Your Website Hacked but No Signs of Infection.
During one part of our discussion of the recent exploits, one member piped up and asked, “Where the heck do you hear about these exploits and security alerts?”
I promised that I would include some of these sources here. If you know more sources for WordPress security news, please add your sources to the comments.
For every day, what is happening in the WordPress Community, source check out WordPress Planet at http://planet.wordpress.org. This is an aggregation of blogs talking about WordPress from around the world.
For official WP news, check out the WordPress Dev Blog found at http://wordpress.org/news/
To receive the latest news from Sucuri in your inbox, go to Sucuri http://blog.sucuri.net/and sign up for their Blog.
To get the latest security news from iThemes sign up for their blog at http://ithemes.com/blog. Note: Austin WordPress Co-Organizer, Chris Wiegman joined iThemes last December and is the lead developer on the iThemes Security Plugin -formally Chris’ own WordPress Security plugin.
I am a big fan of zdnet.com http://www.zdnet.com/ as a news source and subscribe to several of their newsletters. You might also follow Violet Blue@violetblue.
As to following WordPress Security guru’s Tony Perez, Co-Founder, CEO @perezbox, Daniel Cid, Co-Founder, CTO @danielcid, and Chris Wiegman, @ChrisWiegman.
Code Poet is a resource for anyone building WordPress sites. You can subscribe to get notifications and cool single subject ebooks at http://build.codepoet.com. (The eBook about WordPress Security is included in the resources at the end of this article.
WordPress Security Plugins