28.4 percent of the largest websites worldwide run on WordPress. This high distribution makes WP sites a popular target for hackers. Especially operators of small sites often think they are safe, because who would hack a blog with a small reach or without sensitive data? Today I will show you why this is a dangerous fallacy when it comes to WordPress security.
WordPress is especially interesting for attackers because so many sites use it. For many forms of attack, it is not the "quality" of the hacked targets that matters, but simply being able to infiltrate as many sites as possible in an automated manner. What it can look like when a vulnerability is systematically exploited is shown by the example of the security hole in WordPress 4.7.1. Countless pages were then defaced on the home page with the notice "hacked by".
The security company Sucuri had found the vulnerability and passed it on to WordPress. And although the problem was fixed in WordPress 4.7.2, millions of sites were hacked in so-called defacement attacks after the exploit became known. millions of sites were hacked in so-called defacement attacks..
This example shows that every WordPresssite is interesting for attackers. In most cases, the attacks run completely automatically. Today I will show you what such an attack can look like, what the target of hackers is and what consequences it can have for you and your pages once your site has been successfully hacked.
Hackers want to hijack your WordPress sites
As I said: Most of the time, it's not about how big the site is or what there is to get. A large number of websites that have not plugged certain security holes are simply attacked automatically. Once site is infected, it can be misused to send spam or distribute malware to visitors of site.
In this way, hackers create a network of malware suppliers or a botnet that they can later abuse for DDoS or brute force attacks. The individual site is therefore often only interesting as part of a larger whole. And the more sites an attacker hijacks or infects, the more valuable his malware machinery becomes.
Number of attacks on WordPress on the rise
The number of attacks on websites is currently on the rise. According to Google, in 2016 32 percent more sites were hacked than in 2015. One of the most common types of attack was the so-called brute force attack. Here, attempts are made to enter the correct combination of login and password by mere guesswork. Or the attackers already have lists of passwords that they try through.
This is also underlined by the figures of the security provider Wordfence. For months, the US-Americans have been recording a steady increase in these attacks on WordPress.
Reach is the capital of hackers
This can be illustrated very well using the example of a botnet. A botnet is a network of hijacked websites (which can also be Internet-capable end devices or routers) that is used, for example, to launch DDoS attacks against websites or servers. The elements of the botnet are activated and bombard the target on command with so many requests that the site collapses or the server is overloaded.
The more websites a hacker can include in his botnet, the more powerful and thus valuable it becomes. But this also means that hijacking WordPress installations is often only the first step for hackers. The second step is to create something that can be monetised.
The three Is: Inform, Identify, Infiltrate
Roughly speaking, non-specific WordPress hacks can be divided into three phases:
Phase 1: Obtain information
In the first step, the attacker searches for knowledge about known or unknown vulnerabilities in WordPress. This can be done, for example, via platforms such as the WPScan Vulnerability Database is possible.
With the defacement attacks that I mentioned at the beginning of the post, simply looking at WordPress.org would have been enough.
Phase 2: Identify attack vectors
Now an attacker knows where to start and must write a script in phase 2 that enables him to pick out those pages from the mass of pages that have the vulnerability. In the case of the defacement attacks on WordPress 4.7 and 4.7.1, this was easily possible by reading out the WordPress version.
Phase 3: Automated attacks
Once found, the attacker can - again automatically - hack the site and make the (un)desired changes. Some typical examples are:
- Data theft: An attacker tries to steal sensitive data from your site or the visitors of your site . This can be e-mail addresses or bank data - but in principle anything that can be sold or reused is interesting. For example, a hacker can place a fake form on your site that steals all the data entered. And this in a completely trustworthy environment and even SSL-encrypted.
- Hijacking the site: An attacker can integrate your WordPresssite into a botnet. In this way, the hacker secures control over your site and is able, for example, to carry out DoS or DDoS attacks with it on command.
- Infiltrate malicious code: This is when malicious code is placed on your site . For example, an attacker can misuse your advertising space for his own purposes or place forms on your site that steal your users' personal data.
In most cases, WordPress hacks cost time and money
It is impossible to say in general terms what costs are incurred by WordPress hackers and what direct or indirect consequences an attack can have. However, hacked website operators must always be prepared for these three consequences:
1) Costs for restoration
Millions of attacks take place every day on WordPress sites. The plugin manufacturer Wordfence alone measured an average of 35 million brute force attacks and 4.8 million exploit attacks for April 2017. daily. In other words: there is no absolute security. All you can do is keep the probability of being hacked as low as possible and create appropriate mechanisms that allow you to quickly restore your siteif the worst comes to the worst.
In the best case, you have a backup of site and can simply restore it. If the backups are also infected or a restore is not possible, it becomes more complicated. Then time and costs are incurred for the manual removal of the malware.
2) Loss of turnover
Depending on the type of malicious code that was installed and how long your site needs to be maintained, you may also incur costs in the form of lost revenue from advertising and sales.
3) Loss of trust
Google sees everything: A hacked site often contains malicious code that spreads malware. If Google recognises this - and you do nothing about it - your site will end up on a blacklist. When the website is called up, visitors will then see a security notice warning them of malware or phishing. This can also lead to your Search Engine Ranking Position (SERP) suffering and you losing significant reach.
Conclusion: Attacks on WordPress sites are quite normal
Of course, this article is not intended to incite unfounded panic. But what it should make clear is this: Just because you have a "small" site does not mean that you should not actively address the issue of website security.
I mentioned at the beginning that the sheer size of WordPress as a CMS makes any site a potential target. But this size also brings with it a decisive advantage: a worldwide community of volunteers and the staff of WordPress companies is working around the clock to make WordPress more secure. And so, sooner or later, there is an adequate solution for every vulnerability and for every problem.