There is no doubt that WordPress is the most popular web application for building a presence on the Internet. Currently, there are over 74 million web sites using WordPress and that number makes up a staggering 18.9 percent of all web sites on the Internet. But being so popular has a price; when the bad guys know that so many people use your software it becomes a target. Add to the mix the fact that your application is so easy to use that people without a great deal of technical knowledge can operate it and you start to make malicious hackers salivate; just ask Microsoft.
According to research conducted by the security firm Sophos, 73 percent of WordPress installations are found to be vulnerable to attack. This means that the application has not been hardened by the site’s owner to the point where an attacker could not break into the site by exploiting any known vulnerabilities.
If those facts have you worried take a deep breath and relax. We’re going to show you some ways that you can better secure your blog against malicious hackers and make it difficult enough that most attackers will move on to an easier target and leave your site alone.
The very basics
If we are going to look at security from the ground up it is important to understand some of the terminology that is thrown around. The word hacker is used outside of the security industry to describe the bad guys who are trying to compromise your blog. The pros, on the other hand, opt for the terms threat actor, criminal or attacker; most of them despise the term cybercriminal. A breach is when a threat actor successfully breaks into your system, in this case your blog, and this is done by exploiting a vulnerability.
Most of the time, we think of the attacker as someone who is trying to break into our site so they can steal financial information like credit card numbers or usernames and passwords. These are common targets of the threat actor, but they are not the only reasons why they might target your blog.
Blogs are targeted by some attackers to help other sites rank better in the search engine results. A blog is breached and the attacker injects links to another web site in the comment section or even in the posts themselves. These links might not be easy to spot since they can easily code out the text-decoration and change the color of the anchor text. These links can harm the reputation of breached site since they often point to low-quality sites, web sites that promote illegal or illicit activities or sites that host malware. Which brings us to another reason why WordPress sites are often targeted.
One of the most common reasons why a site might be attacked is so that the criminal behind the attack can upload malware to the targeted site. When this happens the malware can be used to exploit vulnerabilities in the web browsers of the site’s visitors. Malware is then loaded onto the visitor’s computer just because they went to a blog, and it might even be a blog that they trust. Sites that are guilty of this are flagged by search engines like Google and are usually removed from the results costing the site a great deal of traffic and causing a great deal of damage to that site’s reputation.
The last type of attack we will mention here is known as a Denial of Service attack. This occurs when the attacker knocks a site offline so that legitimate visitors cannot access it. Usually this is done by flooding the server with enough traffic and requests that the web server that hosts the site just gives up. Attackers use other people’s computers to do this; the ones that have been infected by malware and taken over or they use other technologies. These attacks can come at the hands of a hacktivist, or someone who is trying to take the site down for political or social means; a competing business or web site; and sometimes these attacks come from a young threat actor who is trying to hone their skills.
How they get in
We mentioned vulnerabilities earlier as the way attackers breach a blog. These vulnerabilities can come from a number of places:
- The WordPress code itself
- A plugin
- A template
- Brute force attacks
- The user
WordPress itself is a software application and at times, people find holes in the code. Many times, it is the wp-config file or the wp-includes folder that are targeted. When these holes are found, the people who maintain WordPress work to patch it so that the hole is no longer a vulnerability. This is one reason why WordPress is updated and the most important reason to make sure that you are always running the most current version of WordPress on your site.
Plugins present the same problem; they consist of code and can have holes in them that allow attackers in. For this reason, you should be careful about what plugins you install on your site and you should make certain to remove any plugins that are not being used. Plugins have also been known to have exploits written into them with the purpose of giving attackers access to any site installs and activates them. This is not a common scenario, but it has happened. The best way to avoid this is to install plugins from the WordPress Plugin Directory. This is much safer than downloading the plugin from another site to install as WordPress monitors the plugins in their directory.
Likewise, templates have been known to house security holes as well. Those inactive themes that are sitting in the themes directory and haven’t been updated since you installed them could be just the thing an attacker is looking for. There have also been themes that contained malicious code in them that can be used for nefarious things.
Brute force attacks are another common method used to breach WordPress blogs. An automated system seeks out blogs running the WordPress application and then goes to work trying to guess the password for the admin username. Since most blogs keep the admin account active, and with administrative rights, the attack need only guess the password. This isn’t too hard for a program that can guess hundreds of thousands of passwords a minute when you consider most passwords are ridiculously simple.
The final vulnerability we will look at here is the user. It was mentioned previously that there are sites out there that exploit holes in a web browser and install malware on the computer of a person who visited that site. Malware can also be installed through phishing attacks that contain malicious attachments and even through older methods like file sharing. Malware can do a number of bad things on a computer, and one of these things is they can capture keystrokes on a computer. Translate this into the attacker can see that a person is logging into a WordPress site and can steal the URL, the username and the password. This is just one more reason why you should run up-to-date anti-virus software on your computer especially if you use that computer to access your blog.
Fighting back
A majority of attacks against WordPress sites happen because they are considered low hanging fruit by the attacker; meaning they are easy to breach. Many of these attacks are so simple for the bad guys that they are automated and the attacker never has to do more than let a few programs run to compromise thousands of WordPress sites.
While no WordPress site, or any other computer system, will ever be 100 percent secured against attacks you can make it more difficult for any attacker who targets your site. If you have done a good enough job at hardening your site, they might move on to an easier target. If they are intent on breaching your site, and they are able to successfully do so, you goal will be to identify the breach and clean up your site as soon as possible.
To help you better secure your blog, we have part two of this series coming soon. In the follow up post we will look at plugins, code hacks and other things you can do that will harden your blog against a majority of the common attacks out there.