These WordPress Security Advisory posts have been taking off lately. But, we'll admit it, we've really only been talking about specific flaws. There are so many different plugins, patches, and themes that have been riddled with vulnerabilities, that's it's narrowed our scope a bit. We in no way condone hacking, but you should know how easy it is to hack a WordPress website.
Today, we're going talk broadly. We want to discuss how hackers are targeting your WordPress site, and talk about what holes your website might have that are allowing hackers to sneak their way through.
WordPress has a ton of weaknesses. We all know that. In fact, the WordPress team itself knows that. So, it's no surprise that WordPress websites have become a haven for hackers to inject malicious material into.
Here's how and why those hackers are penetrating WordPress websites.
WordPress Leaky Holes
Since WordPress is open-source, hackers have found multiple ways to get ahold of your website. Whether it's through plugins, themes, comments, brute force, or even WordPress's core itself, hackers have been finding thousands of ways into WordPress sites since its creation.
If you follow our WordPress Security Advisory blog posts, you'll know that WordPress plugins and vulnerabilities are hackers favorite combination (like a PB&J... with Spam.)
Of course, this presents a pretty significant issue. The whole entire purpose of WordPress's open-source nature is supposed to be that you get to use plugins (which saves WordPress a whole lot of time.)
But, what happens when those plugins are the most common source of malicious attacks against websites?
It's not a fun situation, and most of the time, the problem plugins come from one of three sources.
- The developers of the plugin purposefully put the malicious script into their plugin (more common than you think.)
- The plugin was a fake plugin to begin with.
- The plugin had an accidental vulnerability, but, because of the way that WordPress pushes updates, the app was updated to a new version, but you were completely unaware that you needed to update yours.
VPScan has a database of over 11,000 WordPress vulnerabilities of which 52% are directly related to plugins. That number grows, quite literally, daily, and you'll see tons of popular and niche plugins with vulnerabilities every week.
Plugin vulnerabilities present a huge problem for WordPress — one that they haven't been able to respond to.
Themes present another colossal source of WordPress vulnerabilities. Since WordPress doesn't focus on creating its own unique themes, users have to turn to theme companies to find themes that will fit snugly with their content.
The problem? There have been thousands of theme vulnerabilities to date — some of which were so severe that the themes were stripped from the marketplace.
This isn't just small-time themes that we're talking about here either. tagDiv themes (+100,000 downloads) were under fire this year for having a massive vulnerability that was leading to large-scale phishing campaigns.
Comments are one of the primary ways that hackers target your users. Spamming phishy links is just one of the many ways that hackers can use comments to inject malware into your website without hacking it.
Some website owners prefer to just wholly disable comments.
WordPress brute force campaigns are akin to legend. We are talking massive organized hacking campaigns that have tens of millions of attacks per hour.
Essentially, when hackers are brute forcing WordPress, they are using IPs to spam your username and password with random digits until they figure out which ones match.
While this problem has gone down somewhat, we were still seeing huge ones this year and last year.
This is probably the scariest method of WordPress attacks that there are because you can't do anything about it.
Guess how many WordPress installations have been subject to vulnerabilities? Did you guess over 70%?
It's a big deal, and it doesn't seem to be getting any better. WordPress is currently in the middle of a massive vulnerability built into the WordPress core (PHP vulnerability) that is causing large-scale website hacks around the world.
WordPress can't seem to outmaneuver hackers, and every release that they put out seems to be subject to more vulnerabilities.
Why Hackers Want In?
Why do hackers want your website in the first place? What good does your site do for hackers? Well, here are the main reasons that hackers hack WordPress websites to begin with.
- Spam - The primary target of most hackers is spam. They want to inject websites with malicious links to scam people out of money. Since your website is already trusted and it has a rank on Google, it's the perfect spam target for hackers.
- Identity Theft - Some hackers are after something far more precious than spam links — your customers' information. If you run a website that processes customer information, hackers probably want it. Whether it's names, email addresses, credit cards, SSNs, or addresses, hackers can use all of this information for nefarious means.
- Viruses - What's the point of hijacking a website just to give people a virus? What's the benefit? Well, as we detailed in our crypto-jacking post, some viruses and malware can hijack user resources to earn the hacker money. Or, even keylog customer information to get details (like credit card information.)
- Credibility - Hackers may also take over your website to create content that links back to their site. If you have higher ranking credibility than they do, they can siphon some of your link juice to boost their own Google rankings.
- Vandalize - Sometimes hackers just want to destroy things. Website vandalization is a growing problem. Hackers are hijacking websites simply to destroy them for fun.
How to Patch the Leaky Holes
When it comes to patching those leaky holes, there are a few things that you can do.
- Make sure that you update regularly.
- Thoroughly research themes and plugins before you download them.
- Keep up-to-date on every WordPress vulnerability.
- Pray that the next WordPress update doesn't have a core flaw that makes all of that effort meaningless.
What to Do ?
As always, we'll keep you up-to-date on any changes in the WordPress cybersecurity world. Make sure to check out the full WordPress Security Advisory series if you have a WordPress website. This series will help you understand the current security environment of WordPress, and also alert you to any significant vulnerabilities that are happening.
There is no cure for open-source CMS security issues, and it can be difficult to maneuver your way around all of these security issues while still focusing on SEO, content, and your customers.
We know your website is important to you, so we urge all of you to either invest in more cybersecurity elements (which can be expensive and time-consuming) going forward or switch to a CMS that understands how important security is to you and your visitors.