The threats facing WordPress users

“WHAT THE F***???”

Imagine yourself shouting this text as loud as you can. 

Everything you worked on: your content, your witty jokes, your well selected images. 

All gone. 

And the visitors to your site, your potential customers, don’t see all the content you spent so much time and money on. Instead they see “HACKED BY GHOST 2945, COURTESY OF IDIOT SECURITY”

In this article, we’ll look at the dangers facing your WordPress website(s), and some solutions designed to help you avoid the scenario we just described. 

WordPress is, by far, the most popular CMS on the internet – it powers 43% of all websites. While this makes for a great community, it also paints a giant target on our backs. According to the Arishi agency, WordPress websites are attacked 90,000 times a minute*.  

There are several reasons for WordPress’s vulnerability:

  • Popularity: Imagine that you’re a hacker designing tools to break into websites. Do you want to spend your time designing a tool to attack 2% of all websites or a tool to attack 43% of all websites?
  • Open source: Not only do you have access to the code running WordPress and its plugins, so do the hackers. Vulnerabilities are published so that users can patch them, but that means the vulnerabilities are also known by malicious actors who can then search for any security flaws and exploit them.
  • Reliance on plugins: WordPress relies on plugins for much of its functionality. As of January 2023, there were over 60,000 plugins in the WordPress repository. This means that WordPress security relies on thousands of developers and millions of users keeping their plugins up to date. In fact, according to WP Clipboard, 52% of WordPress vulnerabilities are due to plugins – usually caused by the use of outdated plugins.
  • Wide attack surface: WordPress is a complex system with a lot of moving parts – there’s WordPress itself, PHP, SQL, themes, plugins – all of which are vulnerable in their own ways.

The threats

So let’s look at some of the most common attacks on WordPress websites:

  • XSS (Cross-scripting) attacks 
  • SQL injection attacks
  • Brute force attacks
  • Man-in-the-middle attacks
  • DDoS attacks
  • SEO Spam

XSS attacks

This is the most common form of attack on WordPress sites. In an XSS attack, hackers inject malicious code into either a webpage (a reflected XSS attack) or the website’s database (a stored XSS attack).   

XSS attacks can take several forms:

  • Hackers use the input field of a form to enter their own code into a webpage. This code then becomes part of that page. 
  • Hackers enter a fake URL with malicious code into the page and this code becomes part of the webpage.
  • Hackers attack sites that accept file uploads by uploading files with malicious code. The code is then incorporated in the code of the page or app.

While attacking your page, these hackers can also inject code into your server, turning them into stored XSS attacks on all your website’s visitors. 

Hackers can use the data they’ve gathered to steal information from users or even impersonate them. They can also redirect visitors to scam sites or steal your server’s resources.

SQL injection attacks

SQL injection attacks are the second most common form of attacks on WordPress sites and are particularly dangerous. Like XSS-attacks, they use malicious code to attack your site. The difference is that while XSS attacks usually target webpages, SQL injection attacks target your database. 

WordPress websites are built using SQL databases. All your posts, pages, images and other data are stored in an SQL database. Most WordPress sites are generated dynamically, which means that when visitors come to your site, WordPress grabs the information from the database and constructs the webpage on-the-fly. 

It’s this back and forth between the site and the database that leave you vulnerable to SQL injection attacks. 

Similar to XSS attacks, SQL injection attacks can take several forms:

  • Hackers use the input field of a form to enter their own code into a webpage. This is actually SQL code injecting itself into your database.  
  • Hackers enter a fake URL with malicious SQL code into the page and this code injects itself into the database. 
  • Hackers use cookies to inject SQL code into your database. 

Once your database accepts code from outside parties, hackers can send commands to the database just like the website owner is able to.

These types of attacks are generally aimed at exfiltrating, or downloading, the data from your server to their computer. This means usernames, passwords, credit card numbers etc. are all vulnerable. Like XSS attacks these hacks can also be used to redirect users to scam websites or to take over your server resources.

Brute Force attacks

The growth in automated hacking tools and bots gave rise to Brute Force attacks. As their name implies, these bots simply try millions of username password combinations to try and access your website admin area, preferably with admin level permissions. If these bots are able to crack your username password combo, they gain complete control of your site.  

HTTP Man-in-the-Middle attacks

Man-in-the-middle attacks actually describe a wide variety of different attacks. It’s basically any attack where the visitor thinks they are communicating with a website but they’re actually sending information to hackers. Here we’ll talk specifically about HTTP man-in-the-middle attacks.

When the internet was first being developed, websites were given the prefix HTTP. Due to security concerns, a new protocol was put in place, making a new standard prefix HTTPS (the new “s” is for “secure”). In order to make sure people who still use the old prefix still end up at the correct sites, almost all HTTP pages automatically redirect visitors to the equivalent HTTPS page. However, this redirect gives hackers an opportunity to intercept this traffic. 

For WordPress sites, plugins are used for these redirects and outdated plugins let hackers hijack the redirect and send users to scam sites.

In 2019, Wordfence discovered a vulnerability in one such redirect plugin that was installed in over 70,000 websites. 

DDoS attacks

DDoS attacks are one of the oldest types of hacks on the internet. Imagine you have a site that normally gets 1,000 visitors an hour. Now, imagine that suddenly a million visitors an hour are trying to load your site’s pages. Server resources are strained and pages take forever to load, lowering your site’s performance and user experience, which can negatively impact SEO rankings and discourage potential customers.  

So where do these millions of visitors come from? These are bot networks targeting your site, visiting over and over again, with the clear intent of taking down your server and chasing away your human visitors. And to tie it all together, these bot networks are often constructed from resources stolen from servers using one of the other types of attacks we outlined above.     

There are a number of motivations for DDoS attacks:

  1. Political – hacktivists of all stripes may aim their attacks to shut down the websites of political enemies.
  2. Attack for hire – Businesses may hire hackers to take down the website of a competitor.
  3. Vandalism – many DDoS attacks take place just to show that the hacker can overpower a large site.
  4. Feint – Sometimes these DDoS attacks are accompanied by other hacking attempts, planned to take place while the site’s support personnel are busy with the DDoS attack. 

SEO Spam attacks

SEO stands for Search Engine Optimization, essentially it’s the way search engines find and rank sites on the web. 

SEO Spam attacks are quite insidious. They are very hard to detect but can essentially destroy your site. In an SEO Spam attack, once hackers have control of your site (via one of the methods described above), they secretly fill your site with backlinks leading to a scam site.

This boosts the scam site’s SEO rating, but this is considered an illegitimate form of increasing SEO, so once search engines detect it (and are alerted to the fact that your site is linking to a scam site), they’ll penalize you. This means people searching for sites like yours will never see it. 

Defending yourself

There are a number of basic, but critical, steps you can take to defend yourself from these attacks:

  1. Keep your plugins up to date. While open source means that hackers can access the code, it also means that the vast WordPress community is also looking for vulnerabilities – in order to patch them. When the community spots a vulnerability, plugin and WordPress developers spring into action to fix them. But these fixes don’t do much good if users don’t update their software. While this sounds easy, it’s often neglected by many websites for two reasons:
    1. Forgetfulness
    2. Every time you update a plugin, you have to test your site, and, yes, sometimes they break.
  2. Get rid of the admin username. By keeping this default username, you’re basically doing 50% of the hackers work by providing them with half of the username/password combo.
  3. Only assign needed permissions – In all likelihood, you’re not the only one working on your website. However, each additional person with access to your site is an additional way hackers can get into your site – one careless employee with admin privileges can open your site up to hackers. This is why WordPress offers you a range of roles (with different types of permissions) that you can give to people working on your site. For instance, if Alex is in charge of running your site, give them the role of Admin. Hayden, however, just writes posts for the site, so they should be given the role of Contributor, which has far fewer permissions.
  4. Limit the number of allowed attempted WordPress logins – Bots can easily take advantage of unlimited WordPress logins to launch Brute Force attacks against your site, trying millions and tens of millions of username and password combinations. Limiting the number of login attempts, highly discourages bots from constantly probing your site.
  5. Make your site static converting your WordPress site to a static architecture is a kind of security silver bullet, because it removes the attack surface from the picture, making the attacks we listed either very difficult to achieve, or impossible and therefore completely irrelevant. Static WordPress sites work differently than the dynamic sites described above. With static technology, a copy of your WordPress site is converted into static files which are then served up to the web. This means that the database is completely separate from the public-facing site. When visitors, or hackers, arrive at your page, they see a static HTML page. There’s no code for hackers to tunnel into your database and no database for them to hack into, there’s also no admin panel for them to brute force attack. And the tremendous scalability of static sites lowers the effectiveness of DDoS attacks. Learn more about the security benefits of Strattic.

Staying safe

The internet has provided unprecedented opportunities for businesses to reach potential customers, but along with that they are exposed to criminals around the world. And while large companies and organizations are doing their best to make the internet safe, ultimately it’s up to you, the website owner, to stay safe.   

*Yes I know the number seems ridiculous, but keep in mind that today’s hackers are using automated tools and bots that are constantly attacking, probing and looking for weaknesses.