WordPress Hacking: What You Need To Know & How To Prevent It

Neil Henry / security, wordpress Leave a Comment

Since it was first introduced in 2003, WordPress has gone from strength to strength, and today it is firmly established as the most popular Content Management System (CMS) for website development.

Let’s back that claim up with some numbers:

There are currently more than 1.1 billion live websites in the world (at time of writing). And a quick check on the W3Techs website (specifically the usage of content management systems for websites section) shows that the WordPress platform is used by 28% of all websites online today.

Compare that to the prevalence of the next four content management systems – Joomla, Drupal, Magento and Blogger, whose combined usage total is just 7.9% – and you start to see just how prominent WordPress usage is.

But all that success has meant that WordPress is there to be shot at, and that’s why security breaches affecting WordPress-powered sites aren’t uncommon.

If you own a WordPress website, are considering migrating to one, or pondering getting a website developed for the very first time, you need to do your due diligence.

WordPress is the platform of choice. It provides everything – stunning design, endless customization, extensive marketing opportunities and so much more – but you need to familiarize yourself with its security requirements. Know about the most common types of WordPress hacks, how to spot them, how to fix them, and how to prevent them from happening again in the future.

Why Do Hackers Target WordPress Websites?

WordPress’ ease of use means that even individuals with just a small amount of IT knowledge can build a website. It’s one of the main reasons why the platform has become so popular.

The problem, however, is that while building a website is one thing, keeping it secure is quite another, and these individuals often don’t take WordPress security as seriously as they should.

This makes WordPress websites something of an easy target, and because of this, websites running on the WordPress platform are frequently targets of malicious hack attempts.

Now you may be wondering why someone would bother hacking your personal blog or hobby website – especially since you probably don’t store any credit card details or sensitive information.

The bottom line is WordPress websites are targeted by hackers for several reasons, including:

  • To steal and use your bandwidth
  • To store illegal files & malicious software on your web server
  • To incorporate your website into a bot network (used to conduct large-scale DDoS attacks and other types of hacking activities)
  • For black hat SEO techniques and unscrupulous link building
  • For Hacktivism purposes and/or to spread a particular political message
  • To force you into paying a ransom – a trend that’s risen by over 250% during the first few months of 2017 alone.
Common Types of WordPress Hacking

While there are all manner of ways for hackers to infiltrate your WordPress website, there are three main exploitations that tend to be used:

  1. Brute force attacks

With a brute force attack, a hacker will bombard your WordPress login page with password attempts until he or she is successful. Of course, the hacker doesn’t do this manually. One of the most popular types of brute force attack is a dictionary attack, which is where a hacker uses every word found in a dictionary to guess common passwords. This is scripted to fully automate the process. Scripted dictionary attacks enable the hacker to target many different sites at once, which is why they are a potentially very powerful technique.

  1. SQL injections

WordPress websites sit on top of databases, and if a hacker gains access to your site’s database, they can do pretty much anything they want. Something as simple as an unsecure website form or a search box/field can provide hackers with a gateway to your database.

The hacker will use certain words and symbols to change the behavior of said form/search box so that it returns information they can exploit. For example, instead of showing a list of blog posts, a search box could be leveraged to reveal username and password information.

  1. Outdated plugins/theme files

Plugins are great! They’re one of the highlights of using WordPress to power your website because they are so easy to use. In just a few minutes, you can have a plugin installed and working on your website that totally transforms any element – its look, functionality, security, responsiveness, etc. – the same goes for new themes.

However, plugins and themes are constantly being updated by the people who developed them, and it’s up to you to ensure you apply these updates as they’re made available. Failure to do so could lead to a hacker exploiting a plugin or theme vulnerability and gaining easy access to your site.

Security breaches often occur because of people’s lack of concern about securing their website – a culture of “it won’t happen to us, we’ll be okay.”

Tell-Tale Signs That Your WordPress Site Has Been Hacked

A lot of the time, website owners don’t even know their sites have been hacked! That’s because unless your website has been obviously defaced, the hacks are often subtle and silently working in the background.

Here are a few tips to help spot if your site has been hacked:

  1. Keep an audit trail.

A good indicator of a hacked WordPress website is unusual user account activity. The creation of new users, password changes on existing user accounts and user role changes are all tell-tale signs. Fortunately, there are plugins out there that can keep an eye on this for you and provide you with an audit log to track any changes.

  1. Conduct frequent malware scans.

You should scan your website for viruses and malware in the same way you do your computer. Don’t worry if you’re not sure what you’re doing. The free version of Sucuri SiteCheck allows you to scan your website against a list of known problems and vulnerabilities to see if it’s been hacked. It checks for malware infections and notifies you if your core software files are out of date.

  1. Monitor your bandwidth utilization.

Chances are your website bandwidth utilization doesn’t really fluctuate that much from month-to-month. So if you suddenly see an abnormal spike in traffic, it could be a warning sign that something untoward is going on.

  1. Look for notifications in Google Webmaster Tools.

Hopefully, you’ve already added your website to Google Webmaster Tools (if not, why not!?). Apart from the SEO benefits, Google Webmaster Tools also reports back if it thinks your site has been compromised – you can configure email notifications for this, too.

And what Google thinks really, really matters! That’s because hacked websites often get tagged as such in the search engine results pages (SERPs).

“This site may be hacked.” How bad does that look? Imagine if it was your website! What a damaging badge for your website to wear.

How To Fix A Hacked WordPress Website

If you suspect your site has been hacked, Google recommends (in short) that you:

  • Take it offline – just temporarily while you get the issues fixed.
  • Assess the damage – determine the extent of the hack so you can decide on the best course of action.
  • Work on recovering it – a fresh installation is usually the safest option and will stand you in the best stead going forward.
  • Get it back online – ask Google to review your site’s status and then keep an eye on things going forward.

Not confident tackling it on your own? Get in touch with a reputable provider that can work with you through the process, and help get your web presence up and running once more.

How To Secure Your WordPress Website Going Forward

Fortunately, once your website is back online, there are a number of simple ways to ensure it’s safer going forward. Ways that give you complete peace of mind in its consistent stability.

  1. Use strong passwords.

If you use the default WordPress username and password, you’re asking for trouble. Change both to something much more obscure and harder to compromise. Dictionary attacks can crack common words, so mix things up with numbers, symbols and upper case letters.

  1. Keep everything updated.

When your WordPress dashboard tells you there are updates available, take note. Plugin developers and WordPress gurus release updates to add new features AND improve security – especially if a new threat has been identified recently.

  1. Install a backup solution.

There are a number of plugins that enable you to take regular backups of your website and its core files. These can be invaluable if you’re ever faced with reinstalling everything from scratch – especially if you’ve got your site configured just how you want it.

  1. Utilize security plugins.

Security plugins search your website files and database looking for signs that either may have fallen victim to hackers. WordFence, Better WP Security and Sucuri Security are three such plugins that will make your WordPress website considerably more secure.

  1. Enable a web application firewall.

A web application firewall will block any potentially dangerous traffic from ever reaching your website in the first place. It is positioned between your website and the Internet, and is a great tool for preventing against SQL injection-type attacks.

  1. Take advantage of expert security service providers.

If you don’t feel confident tackling WordPress security on your own or would rather just leave it to someone else, consider taking advantage of a tailored security service from a reputable provider.