In general, there are three entities that attack WordPress sites:
- Humans: This is a person sitting at a keyboard manually probing and attacking a website.
- A Single Bot: This is a single automated program or script that a hacker is using to attack many sites in an automated way.
- A Botnet: This is a group of machines running programs that are coordinated from a central “command and control” server (C&C server) that are attacking many sites in an automated way.
The goal of an attacker is to gain control of your WordPress website at an administrative level. This means that they can read all files and data in the database on your website. It also means they can modify files, make changes to the database and change the way your website behaves and the content it serves. They want to be able to do this for some of the following reasons:
To send spam: To be able to send spam email from your website. Hackers can run scripts on your website that bulk email their targets once they control your site.
To host malicious content and avoid filters: Hackers may use your site to host content like pornography, illegal drug sales or other spam content. Hosting bad content on a domain that does not yet have a bad reputation helps them avoid spam and other online filters.
To steal your website data: To access and harvest the data on your website including your customer and member email addresses and names. Stealing thousands of email addresses of your website members provides hackers with new targets to send spam and malicious email to. You may also have other interesting data like personal member information that can be useful in identity theft and other malicious activities.
To Spamvertize: To use your website to redirect traffic to another malicious or spam website. Including their own website in spam emails will land those emails in the spam folder if the website is known to be malicious. By including your website address in spam emails instead, the emails avoid spam filters. Then when someone who receives spam clicks on the link to your site, they are redirected to the malicious website. This is called 'spamvertizing'.
To attack other websites: Once your website has been compromised, a hacker can use your site to run bot attack scripts that hack into other websites. Your website may become part of a cluster of machines called a 'botnet' which is a large group of machines used for the bulk of malicious activity.
Reconnaissance (or 'recon')
During this information-gathering phase, an attacker will want to learn useful information about your website that lets them know what vulnerabilities may exist that they can exploit. The most important two things they want to learn is what kind of software your website is running and what are the versions of that software.
The reason this is useful is that there are many databases available on the Net that list versions of software and the vulnerabilities associated with each. For example, if a hacker can determine that you are running WordPress and that the version of WordPress you are using is 4.2.2, then they know that your website has a critical cross-site scripting vulnerability that they can exploit. If they see you are running a newer version, they can save time by simply not even trying to exploit that vulnerability. They also avoid detection by not exploiting vulnerabilities that don't exist on your server.
Exploitation
Exploitation is the act of actually hacking into a website. When you consider that there are large databases of vulnerabilities listed by software type and the version available online and that these contain full technical detail on how to exploit a vulnerability, exploitation seems like the easy part of attacking a site. Finding sites to attack and identifying vulnerable software on the site that is exploitable, the reconnaissance phase, is most of the work.
When a WordPress site is attacked, there are several main entry points or attack 'vectors' that are used:
- Your login page: This is the most common form of the attack targeting WordPress. This is where most password guessing attacks or 'brute force' attacks take place. Attackers have automated bots that try to guess your website password by repeatedly trying to sign-in on your WordPress login page.
- PHP code on your site: This is the second most common form of the attack targeting WordPress. Attackers will try to exploit vulnerabilities in PHP code running on your WordPress site. This includes the code in WordPress core, your themes, your plugins and any other application you are running. The way PHP code is exploited is wide and varied.
- Privilege escalation: Another popular vector an attacker might use is to gain access to your site using a normal user account with no privileged access. If you have registration enabled on your website, they can simply register to get an account. Privilege escalation involves using the access granted by that account and a software flaw to gain a higher level of access like 'admin'.
- Old or unmaintained web applications: You may be doing a great job of keeping your WordPress website secure and in this case, an attacker will look for other older and unmaintained web applications on your website that are vulnerable. If they can gain access via these applications, they can modify your WordPress files and infect your website, even though you have kept WordPress itself secure.
- XMLRPC Service: This service can allow an attacker to perform password guessing attacks. It has had other vulnerabilities in the past that allow attackers to target other websites via your site. However, it is important to not disable this service or you may lose important site functionality.
- Access via Temporary Files: When editing files on your website using tools like 'vim', temporary files may be created that contain sensitive login information. For example, editing the 'wp-config.php' file may create a temporary file that contains your database login credentials that is public. Attackers look for these files in the hope of finding sensitive information that will help them gain access.
- Source Code Repository Config Files: The 'git' and 'Subversion' source control tools create directories and files that can contain sensitive information. If you leave these files publicly accessible an attacker can use the data in the files and directories to gain access to your site or to help with recon. There have also been cases where a website owner will store their source code on GitHub or another publicly accessible repository and this is a gold mine for attackers looking for sensitive info to help with recon or exploitation.
- Attacks via shared hosting: Most low-cost website hosting plans place websites in shared environments. The security in these environments vary and among reputable web hosts is generally good. However, you may be in a shared environment where it's possible to create permissions on your website files that gives someone else on the same machine 'read' or 'read and write' access to those files. If this occurs and someone who has access to your shared environment is malicious, they can use the 'read' permissions to read files like your 'wp-config.php' file and gain access to your database and all your member data. They can use 'write' permissions to drop malicious code or files onto your website which will then be executed and give them full access to your site and its data.
- Attacks via the Web Server and Operating System: Your file permissions and PHP code may be secure, but your web server itself may have vulnerabilities that can be exploited, like the Heartbleed vulnerability. You may also have vulnerabilities in the operating system that hosts your web server and website, like the ShellShock vulnerability. In a shared or managed hosting environment it is usually the responsibility of your hosting provider to keep these systems patched. You usually don't have access to patch them yourself. However, if you are running a self-hosted website on a provider like ucartz, then it is your responsibility and in addition to maintaining all your PHP code and web applications, you need to ensure that your operating system and all of its services are secure.
A few key rules to observe to keep your website secure:
- Use strong passwords for all user accounts.
- Choose a reputable hosting provider where websites on shared servers are isolated from each other.
- Keep WordPress core, your themes and plugins up-to-date.
- Use an intrusion detection and prevention system like ucartz as an additional layer of security.
- Remove all old and unmaintained web applications including old backups of the site from your website.
- Ensure there are no sensitive temporary files lying around on your website.
- Ensure there are no subversion, git or other repository files publicly accessible.
For any support, visit hire our experts.