43.2 percent of all websites worldwide run on WordPress. This high prevalence makes WordPress websites a popular target for attacks. Especially with a small website, many people often think they are safe, because who would hack a blog with a small reach or without sensitive data? Today I'll show you why this is a dangerous fallacy when it comes to WordPress security.
WordPress is particularly interesting because so many websites use it. For many forms of attack, it is not the "quality" of the hacked targets that matters, but simply being able to automatically infiltrate as many websites as possible. The example of the vulnerability in WordPress 4.7.1 showed what it can look like when a vulnerability is systematically exploited. At the time, countless websites were defaced on the homepage with the notice "hacked by".
The security company Sucuri had found the vulnerability and passed it on to WordPress. And although the problem was fixed in WordPress 4.7.2, millions of sites were hacked in so-called defacement attacks after the exploit became known.
The example illustrates that every WordPress website is interesting for attacks. This is because in the vast majority of cases, the attacks are completely automatic. Today I will show you what such an attack can look like, what the target is and what consequences it can have for you and your website once your website has been successfully hacked.
Your WordPress website is to be hijacked
As I said, most of the time it's not about how big the website is or what it has to offer. A large number of websites that have not plugged certain security holes are simply attacked automatically. Once the website is infected, it can be misused to send spam, for example, or distribute malware - i.e. malicious software - to users.
This creates a network of malware suppliers or a botnet that can later be misused for DDoS or brute force attacks. The individual website is therefore often only of interest as part of a larger whole. And the more websites are hijacked or infected, the more valuable the associated malware machinery becomes.
"*" indicates required fields
Number of attacks on WordPress on the rise
The number of attacks on websites is trending upwards. According to Google, 32% more websites were hacked in 2016 than in 2015. One of the most common types of attack were brute force attacks. Simply put, this is an attempt to enter the correct combination of login name and password by guessing.
This is also underlined by the figures from security provider Wordfence. A steady increase in these attacks on WordPress has been recorded in the USA.
Reach is the capital
The example of a botnet is an excellent illustration of this. A botnet is a network of hijacked websites (which can also be Internet-enabled end devices or routers) that is used to launch DDoS attacks against websites or servers, for example. The elements of the botnet are activated and bombard the target on command with so many requests that the server collapses and becomes overloaded.
The more websites are included in a botnet, the more powerful and therefore more valuable it becomes. However, this also means that hijacking WordPress installations is often only the first step. The second step is to create something that can be monetized.
The three I's: inform, identify, infiltrate
As soon as a security vulnerability is known, the real work begins: a program must be written that can find out whether the vulnerability exists and then exploit it automatically. Roughly speaking, non-specific WordPress hacks can be divided into three phases:
Phase 1: Obtaining information
The first step is to search for knowledge about known or unknown vulnerabilities in WordPress. This is possible via platforms such as the WPScan Vulnerability Database.
With the defacement attacks that I mentioned at the beginning of the post, a simple look at wordpress.org would have sufficed.
Phase 2: Identify attack vectors
Now we know where to start. In phase 2, a script must be written that makes it possible to pick out those websites from the mass of websites that have the vulnerability. In the defacement attacks on WordPress 4.7. and 4.7.1 in 2017, this was easily possible by reading the WordPress version.
Phase 3: Automated attacks
Once found, the website can be (automatically) hacked and the (un)desired changes made. Some typical examples are
- Data theft: Attempts are made to steal sensitive data from your website or users. This could be email addresses or bank details - but in principle anything that can be sold or reused is of interest. For example, a fake form can be placed on your website that steals all the data entered. And all this in a completely trustworthy environment and encrypted with SSL.
- Hijacking the website: Your WordPress website is integrated into a botnet. This secures control over your website and makes it possible, for example, to carry out DoS or DDoS attacks on command.
- Infiltrating malicious code: This involves placing malicious code on your website. For example, your advertising space can be misused or data can be stolen using false forms.
In most cases, WordPress hacks cost time and money
It is impossible to say in general terms what costs are incurred by a WordPress hack and what direct or indirect consequences an attack can have. However, you should always be prepared for these three consequences with hacked websites:
1) Costs for restoration
Millions of attacks on WordPress websites take place every day. The plugin manufacturer Wordfence alone measured an average of 35 million brute force attacks and 4.8 million exploit attacks every day in April 2017. In other words: there is no such thing as absolute security. All you can do is minimize the likelihood of being hacked and create appropriate mechanisms that allow you to quickly restore your website if the worst comes to the worst.
In the best case scenario, you have a backup of the website and can simply restore it. If the backups are also infected or it is not possible to restore them, it will be more time-consuming. Then there is the time and cost of manually removing the malware.
2) Loss of sales
Depending on what type of malicious code has been injected and how long your website needs to be maintained, you may also incur costs in the form of lost revenue from advertising and sales.
3) Loss of confidence
Google sees everything: A hacked website often contains malicious code that spreads malware. If Google recognizes this - and you do nothing about it - your website will end up on a blacklist. When users access the website, a security notice appears warning them of malware or phishing. This can also lead to your search engine ranking position (SERP) suffering and you losing a significant amount of reach.
Conclusion: Attacks on WordPress websites are completely normal
Of course, this article is not intended to stir up unfounded panic. But it should make it clear: Just because you have a "small" website doesn't mean that you shouldn't actively address the issue of WordPress security.
For example, it is important to know that the majority of vulnerabilities can be eliminated through regular updates. And that an SSL certificate does not protect your website from attacks.
I mentioned at the beginning that the sheer prevalence of WordPress as a CMS makes every website a potential target. However, this prevalence also brings with it a decisive advantage: a global community is working around the clock to make WordPress more secure. And so sooner or later, there is an adequate solution for every vulnerability and every problem.