WordPress Security: Even Your Site Is Interesting for Hackers

Tobias Schüring Last updated 23.01.2020
5 Min.
Hacker attacks on WordPress : Your site  is also interesting for hackers

28.4 percent of the world's largest websites run at WordPress . This high distribution makes WP sites a popular target for hackers. Especially operators of small sites often think they are safe, because who would hack a blog with low reach or without sensitive data? Today I'll show you why this is a dangerous fallacy when it comes to WordPress security.

WordPress is particularly interesting for attackers because so many sites use it. For many forms of attack, it is not the "quality" of the hacked targets that matters, but simply being able to automatically infiltrate as many sites as possible. What it can look like when a vulnerability is systematically exploited is shown by the example of the security hole in WordPress 4.7.1. Countless sites were then defaced on the start page with the note "hacked by".

Security firm Sucuri had found the vulnerability and reported it to WordPress . And although the problem was fixed in WordPress 4.7.2, after the exploit became known, millions of millions of sites were hacked in so-called defacement attacks..

The example illustrates that really every WordPress site is interesting for attackers. In most cases, the attacks run completely automatically. Today I will show you how such an attack can look like, what the target of hackers is and what consequences it can have for you and your sites once your site has been successfully hacked.

Hackers want to hijack your WordPress sites hijack

As I said, most of the time it's not about how big the site is or what's there to get. It is simply an automated attack on a large number of websites that have not plugged certain security holes. Once the site is infected, it can be misused for sending spam, for example, or it distributes malware - i.e. malicious software - to the visitors of the site .

In this way, hackers create a network of malware suppliers or a botnet that they can later abuse for DDoS or Brute Force attacks. The individual site is therefore often only interesting as part of a larger whole. And the more sites an attacker hijacks or infects, the more valuable his malware machinery becomes.

Number of attacks on WordPress on the rise

The number of attacks on websites is currently on the rise. According to Google, in 2016 32 percent more sites were hacked than in 2015. One of the most common types of attack were the so-called Brute Force attacks. Here, people try to enter the correct combination of login and password by merely guessing. Or the attackers already have lists of passwords, which they try out.

This is also underlined by the figures of the security provider Wordfence. For months, the US-Americans have seen a steady increase in these attacks on WordPress .

Hacker Attacks WordPress : Brute Force and Complex Attacks on WordPress sites  from December 2016 to January 2017.
In contrast to complex attacks, the number of Brute Force attacks is constantly increasing. This is because the latter are not dependent on the existence of specific security vulnerabilities.

Reach is the capital of hackers

This can be illustrated very well using the example of a botnet. A botnet is a network of hijacked websites (which can also be Internet-enabled end devices or routers) that is used, for example, to launch DDoS attacks against websites or servers. The elements of the botnet are activated and bombard the target on command with so many requests that the site collapses or the server is overloaded.

The more websites a hacker can include in his botnet, the more powerful and therefore valuable it becomes. However, this also means that hijacking WordPress installations is often only the first step for hackers. The second step is to create something that can be monetized.

The three Is: Inform, Identify, Infiltrate

Roughly speaking, non-specific WordPress hacks can be divided into three phases:

Hacker attacks WordPress : 3 phases of a prototypical attack on WP
Once an attacker knows about a vulnerability, the real work begins: he must write a program that can find out if the vulnerability exists and then exploit it automatically.

Phase 1: Obtain information

In the first step, the attacker searches for knowledge about known or unknown vulnerabilities in WordPress . This can be done e.g. via platforms like the WPScan Vulnerability Database is possible.

For the defacement attacks I mentioned at the beginning of this post, a look at WordPress.org would have been enough.

Phase 2: Identify attack vectors

Now an attacker knows where to start and must write a script in phase 2 that enables him to pick out those from the mass of sites that have the vulnerability. In the case of the defacement attacks on WordPress 4.7 and 4.7.1, this was easily done by reading the WordPress version.

Phase 3: Automated attacks

Once found, the attacker can - again automated - hack the site and make the (un)desired changes. Some typical examples are:

  • Data theft: An attacker tries to steal sensitive data from your site or the visitors of your site . This can be email addresses or bank data - but in principle anything that can be sold or reused is interesting. For example, a hacker can place a fake form on your site that steals all the data entered. And this in a completely trustworthy environment and even SSL-encrypted.
  • Hijacking site : An attacker can hijack your WordPress site into a botnet. In this way, the hacker secures control over your site and is able, for example, to carry out DoS or DDoS attacks with it on command.
  • Injecting malicious code: Malicious code is placed on your site . For example, an attacker can misuse your advertising space for his own purposes or place forms on your site that steal your users' personal data.

In most cases, WordPress hacks cost time and money.

The costs incurred by WordPress hackers and the exact direct or indirect consequences of an attack cannot be stated in general terms. However, hacked website operators must always be prepared for these three consequences:

1) Costs for recovery

Every day there are millions of attacks on WordPress sites take place every day. The Plugin producer Wordfence alone measures an average of 35 million Brute Force attacks and 4.8 million exploit attacks for April 2017. Sync and corrections by n17t01. In other words, there is no absolute security. You can only keep the probability of being hacked as low as possible and create appropriate mechanisms that allow you to quickly restore your site if the worst happens.

In the best case, you have a backup of site and can simply restore it. If the backups are also infected or a restore is not possible, it gets more complicated. Then you have to spend time and money for the manual removal of the malware.

2) Loss of turnover

Depending on what type of malicious code was injected and how long your site needs to be maintained, you may also incur costs in the form of lost revenue from advertising and sales.

3) Loss of confidence

Google sees everything: A hacked site often contains malicious code that spreads malware. If Google detects this - and you do nothing about it - your site will end up on a blacklist. When the website is accessed, visitors will then see a security notice warning them of malware or phishing. This can also lead to your Search Engine Ranking Position (SERP) suffering and you losing significant reach.

Conclusion: Attacks on WordPress sites are quite normal

Of course, this article is not intended to incite unfounded panic. What it should make clear, however, is: Just because you have a "small" site does not mean that you should not actively address the issue of website security.

For example, it is important to know that the majority of vulnerabilities can be eliminated through regular updates. And that an SSL certificate does not protect your site from hacker attacks.

At the outset, I mentioned that the sheer size of WordPress as a CMS makes any site a potential target. But this size also brings with it a decisive advantage: a worldwide community of volunteers and the employees of WordPress companies are working around the clock to make WordPress more secure. And so, sooner or later, there is an adequate solution for every vulnerability and for every problem.

As a system administrator, Tobias watches over our infrastructure and finds every possible way to optimize the performance of our servers. His tireless efforts mean he can often be found on Slack in the early hours.

Related articles

Comments on this article

Post a comment

Your email address will not be published. Required fields are marked with *.