28.4 percent of the world's largest websites run at WordPress . This high distribution makes WP sites a popular target for hackers. Especially operators of small sites often think they are safe, because who would hack a blog with low reach or without sensitive data? Today I'll show you why this is a dangerous fallacy when it comes to WordPress security.
WordPress is particularly interesting for attackers because so many sites use it. For many forms of attack, it is not the "quality" of the hacked targets that matters, but simply being able to automatically infiltrate as many sites as possible. What it can look like when a vulnerability is systematically exploited is shown by the example of the security hole in WordPress 4.7.1. Countless sites were then defaced on the start page with the note "hacked by".
Security firm Sucuri had found the vulnerability and reported it to WordPress . And although the problem was fixed in WordPress 4.7.2, after the exploit became known, millions of millions of sites were hacked in so-called defacement attacks..
The example illustrates that really every WordPress site is interesting for attackers. In most cases, the attacks run completely automatically. Today I will show you how such an attack can look like, what the target of hackers is and what consequences it can have for you and your sites once your site has been successfully hacked.
Hackers want to hijack your WordPress sites hijack
As I said, most of the time it's not about how big the site is or what's there to get. It is simply an automated attack on a large number of websites that have not plugged certain security holes. Once the site is infected, it can be misused for sending spam, for example, or it distributes malware - i.e. malicious software - to the visitors of the site .
In this way, hackers create a network of malware suppliers or a botnet that they can later abuse for DDoS or Brute Force attacks. The individual site is therefore often only interesting as part of a larger whole. And the more sites an attacker hijacks or infects, the more valuable his malware machinery becomes.
Number of attacks on WordPress on the rise
The number of attacks on websites is currently on the rise. According to Google, in 2016 32 percent more sites were hacked than in 2015. One of the most common types of attack were the so-called Brute Force attacks. Here, people try to enter the correct combination of login and password by merely guessing. Or the attackers already have lists of passwords, which they try out.
This is also underlined by the figures of the security provider Wordfence. For months, the US-Americans have seen a steady increase in these attacks on WordPress .
Reach is the capital of hackers
This can be illustrated very well using the example of a botnet. A botnet is a network of hijacked websites (which can also be Internet-enabled end devices or routers) that is used, for example, to launch DDoS attacks against websites or servers. The elements of the botnet are activated and bombard the target on command with so many requests that the site collapses or the server is overloaded.
The more websites a hacker can include in his botnet, the more powerful and therefore valuable it becomes. However, this also means that hijacking WordPress installations is often only the first step for hackers. The second step is to create something that can be monetized.
The three Is: Inform, Identify, Infiltrate
Roughly speaking, non-specific WordPress hacks can be divided into three phases:
Phase 1: Obtain information
In the first step, the attacker searches for knowledge about known or unknown vulnerabilities in WordPress . This can be done e.g. via platforms like the WPScan Vulnerability Database is possible.
For the defacement attacks I mentioned at the beginning of this post, a look at WordPress.org would have been enough.
Phase 2: Identify attack vectors
Now an attacker knows where to start and must write a script in phase 2 that enables him to pick out those from the mass of sites that have the vulnerability. In the case of the defacement attacks on WordPress 4.7 and 4.7.1, this was easily done by reading the WordPress version.
Phase 3: Automated attacks
Once found, the attacker can - again automated - hack the site and make the (un)desired changes. Some typical examples are:
- Data theft: An attacker tries to steal sensitive data from your site or the visitors of your site . This can be email addresses or bank data - but in principle anything that can be sold or reused is interesting. For example, a hacker can place a fake form on your site that steals all the data entered. And this in a completely trustworthy environment and even SSL-encrypted.
- Hijacking site : An attacker can hijack your WordPress site into a botnet. In this way, the hacker secures control over your site and is able, for example, to carry out DoS or DDoS attacks with it on command.
- Injecting malicious code: Malicious code is placed on your site . For example, an attacker can misuse your advertising space for his own purposes or place forms on your site that steal your users' personal data.
In most cases, WordPress hacks cost time and money.
The costs incurred by WordPress hackers and the exact direct or indirect consequences of an attack cannot be stated in general terms. However, hacked website operators must always be prepared for these three consequences:
1) Costs for recovery
Every day there are millions of attacks on WordPress sites take place every day. The Plugin producer Wordfence alone measures an average of 35 million Brute Force attacks and 4.8 million exploit attacks for April 2017. Sync and corrections by n17t01. In other words, there is no absolute security. You can only keep the probability of being hacked as low as possible and create appropriate mechanisms that allow you to quickly restore your site if the worst happens.
In the best case, you have a backup of site and can simply restore it. If the backups are also infected or a restore is not possible, it gets more complicated. Then you have to spend time and money for the manual removal of the malware.
2) Loss of turnover
Depending on what type of malicious code was injected and how long your site needs to be maintained, you may also incur costs in the form of lost revenue from advertising and sales.
3) Loss of confidence
Google sees everything: A hacked site often contains malicious code that spreads malware. If Google detects this - and you do nothing about it - your site will end up on a blacklist. When the website is accessed, visitors will then see a security notice warning them of malware or phishing. This can also lead to your Search Engine Ranking Position (SERP) suffering and you losing significant reach.
Conclusion: Attacks on WordPress sites are quite normal
Of course, this article is not intended to incite unfounded panic. What it should make clear, however, is: Just because you have a "small" site does not mean that you should not actively address the issue of website security.
At the outset, I mentioned that the sheer size of WordPress as a CMS makes any site a potential target. But this size also brings with it a decisive advantage: a worldwide community of volunteers and the employees of WordPress companies are working around the clock to make WordPress more secure. And so, sooner or later, there is an adequate solution for every vulnerability and for every problem.