WordPress sites are often compromised by hackers who exploit vulnerabilities. In fact, there are around 90,000 attacks on WordPress sites every minute.
If
they’re successful, they can use the website to run all kinds of
malicious activities – steal customer data, sell illegal products, send
spam emails (read – phishing hack), dupe customers into downloading malware, using black hat SEO techniques to rank their own products (read – pharma hack), insert backdoors – the list goes on.
For
a website owner, getting hacked is not just bad news, it’s a nightmare!
And it can happen to any site – big or small. It’s interesting to note
that smaller sites think that hackers won’t come after them. But in
reality, such sites are easy targets and are preferred by hackers.
If your site gets hacked,
you have much to lose. Your customers won’t trust your site anymore,
your sales and revenue will take a hit, and you could even be blacklisted by Google, and suspended by your WordPress web host.
If
all this has you worried about your site’s security, we’ve got you
covered. In this article, we’ll get behind the psychology of hackers and
understand the ways in which they hack websites. After that, we’ll
cover ways to neutralize them as well.
TL;DR
Hackers have a legion of hacking methods at their disposal using which they’ll try and gain access to your site. Use MalCare Hack Prevention Plugin
to keep hackers at bay. MalCare will proactively defend your site
against hackers, alert you of any intrusion, and help you remove any
kind of infection.
Before we begin to show you how and why hackers hack sites, you need to understand the structure of your WordPress website.
It is made up of files and a database. WordPress files mostly contain
all the settings and configurations, while the database stores all the
data of posts, comments, users and a bunch of other things.
Both elements are required to generate the frontend of your website. But both can also be exploited by hackers.
First, let’s take a look at how hackers get inside WordPress sites.
Note:
This is not a guide on how to hack a WordPress website. It is an
educative article to show you how hackers can exploit vulnerabilities to
hack your site. That said, let’s begin.
6 Common Vulnerabilities That Enable Hackers To Hack WordPress Sites
To hack a website, it should have a point of vulnerability. We’ve listed out the common vulnerabilities found in WordPress websites:
1. Running Outdated WordPress Installation
Around 44% of hacked WordPress websites
were running on outdated installations according to a 2018 report. As a
website owner, you will see frequent updates available to the WordPress
installation, like so:
Usually,
updates carry new features, bug fixes, or resolve incompatibility
issues. Sometimes, they also carry WordPress security patches. This
means if a security flaw was found in the software, the developers
quickly fix it and release an update that will remove the flaw.
Once
released, the presence of a wp security flaw is made known to the
public. Hackers then seek out websites that haven’t updated, find the
flaw, and use it to hack into the site.
So if you choose not to
update your WordPress installation, then you haven’t installed the new
security features and you’ve given your website on a platter to the
hackers.
Always keep your WordPress website updated.
Tip:
Security patches are rolled out as minor updates. You can tell if it’s a
major update if it’s V5.2 or V5.3. A minor update would be V5.2.1, for
example. By default, minor updates are automatic, but you can turn it
off. We recommend keeping the auto-updates option turned on for minor
updates.
Besides keeping your plugins, themes, and core updated, we strongly suggest that you keep your WordPress salts and security keys updated.
2. Using Weak Credentials
Another common point of entry for hackers is weak credentials. Hackers use a method called brute force attacks where
they program bots to scan them for WordPress sites on the internet and
attempt different combinations of usernames and passwords to break into
the website.
If you’ve left your login name as ‘admin’, they’re
already one step closer to gaining access to your site. However, if
you’ve used common passwords like ‘password123’, then it’s easy for them
to guess it. These bots can make thousands, if not millions of hacking attempts in just a second (recommended read – WordPress login page protection guide).
We recommend changing the password to a passphrase in combination with numbers and symbols to make your password strong as ever like so:
3. Having Pirated Themes Installed
Premium
themes are attractive and we’d all love to have a great theme for our
website to make it unique. Many times website owners fall prey to free,
cracked or pirated versions of these themes. Such themes from unreliable
sources can carry pre-installed malware. By installing it on your
WordPress website, you also install the malware. This opens the door to
hackers. We’ve detailed how this happens later.
Always
download themes only from reputable sources such as the WordPress
repository or marketplaces like ThemeForest and ThemeTrust.
4. Using Vulnerable plugins
Hackers
are constantly on the prowl to find gaps in the security of plugins. If
they find one, they’ll scan the internet for WordPress sites that have
the plugin installed. This enables them to hack into thousands of
websites in a matter of minutes.
Many times, especially with free
plugins, developers may find that they can’t maintain it any more and
abandon the plugin. (This can also happen with themes). In these cases,
the security of the plugin will lapse and having it installed on your
site poses a threat.
Download plugins only from trusted
sources such as the WordPress repository or CodeCanyon. Regularly delete
WordPress plugins and themes you don’t use any more. Check the status
of the plugins you do use to see if they’re being updated and maintained
by the developer.
5. Using Insecure Local System
Sometimes,
it may be your computer itself that’s not secure. If someone hacks into
your system, they can easily access your WordPress site because in most
cases, the wp-admin is already logged in and open.
This can happen if you don’t have a firewall or anti-malware tool installed on your system.
It’s
recommended that you never use a public computer or public unsecured
wifi connection on your local system which you use to run your WordPress
website. Always keep malware detection tools active on your site.
6. Using Poor Web Hosting Service
While
choosing a hosting plan, we tend to look for the cheapest one. But the
cheapest doesn’t always guarantee good security measures.
Shared
servers may be cheaper but they also put your site at risk. You can’t
tell which sites you share a web server with and whether they’ve
implemented security protocols. If they get hacked, there are chances
the malware infection can spread to your site as well.
There are
also times when website hosts are compromised which means all websites
on the hosting platform are exposed for hackers to exploit.”
Before choosing a web host, read up on what they offer and what customers have to say about them. This will help you get a good idea of which web host to choose.
To
find a vulnerable site, hackers create their own bots or use free
vulnerability scanners available online to comb through the internet.
When they find one, they’ll exploit the security flaw it has (like the
ones mentioned above) to get access to the files or database of the
WordPress website.
Then, they inject code that will execute
malicious activities such as sending spam emails, selling illegal
products, etc. They also inject code to create new user accounts or WordPress backdoors that will help them regain access to your site any time they want.
[Back to Top ↑]
How to Hack a WordPress Site?
There are innumerable ways to hack into a WordPress site. Here, we’ll discuss two of the most common ways hackers inject code into your website to create a new user login:
I. Through Files (Pre-Installed Malware in a Pirated Theme)
As
we discussed earlier, many WordPress site owners fall prey to pirated
themes. You get all the features for free! But such software can have a
script to create a new login ID. Once you install the theme, the new
user account gets created and the hacker can simply log into your website from WordPress admin.
We’re
going to show you how you can create a new user account on your
WordPress website using your theme file. This will help you understand
how pirated themes help a hacker get access to your site.
Tip: This can also come in handy if you’re locked out of your wp-admin but still have access to your web hosting account.
Caution:
Going behind the scenes of a WordPress site is a risky affair. It’s best to do this on a test or staging site. If you choose to do it on your live site, please ensure you take a reliable backup. In case something goes wrong, you can restore your WordPress backup.
Step 1: Login to your WordPress hosting account. Go to cPanel and access the File Manager.
You can also access files through an FTP client like FileZilla using FTP credentials.
Step 2: Your WordPress files usually reside in a folder called public_html. Inside it, you can access wp_content/themes.
Step 3: Here, you need to choose the active theme on your website and edit the functions.php.
Step 4: Copy
and paste the following code at the end of the file. (If there is a
closing tag like so ?>, make sure the code comes on the line before
this.)
[php]$new_user_email = ’email@example.com’;
$new_user_password = ‘password’;
if(!username_exists($new_user_email)) {
$user_id = wp_create_user($new_user_email, $new_user_password, $new_user_email);
wp_update_user(array(‘ID’
=>
$user_id, ‘nickname’
=>
$new_user_email));
$user = new WP_User($user_id);
$user->set_role(‘administrator’);
}
[/php]Edit
the first two lines to the email and password of your choice. Once you
save the file and open your website, the code will run and you can log
in using these new credentials.
We hope now you understand that
when you install a pirated theme if it has this block of code, a new
user account will be created. All the hacker has to do is enter the
credentials and log in.
II. Through Database – SQL Injection
This is another one of the most common reasons why WordPress sites get hacked. To begin, you need to know two things about SQL injections:
- WordPress uses MySQL as the default database system.
- In order to generate the frontend of a website, WordPress uses SQL queries to pull data from the database.
We
don’t have to worry about what this is or the details of it for now.
What you need to know is that this database is accessible only through
cPanel > phpMyAdmin. But hackers find ways to access it without using
cPanel. One of the most common ways hackers contact a site’s database
is through vulnerable forms on a website.
A form is any
element where text can be entered such as the WordPress login bar,
contact form, WordPress blog comments, subscription pops, checkout
pages, and the site search bar.
Instead of entering the
details asked in the form, the hacker would enter their malicious SQL
commands. As all information entered into the form gets stored in your
database, this malicious code will find its way in.
To explain how this happens, we’re going to show you how to create a new user account using your database.
→ Creating New User Account Through Database
Step 1: Access cPanel and open phpMyAdmin > Databases.
Step 2: Here,
you’ll see a list of databases. You need to select your database. (If
you don’t know your database name, you can find out this information in
your wp-config, like so).
We’ve selected the database according to the name in the wp-config file.
Step 3: Next,
from the tables that populate on the right panel, you need to find the
table that ends in _users (It will most likely be named wp_users).
Step 4: Here, you can click on ‘Insert’.
Step 5: It will open up the following screen where you can enter the user login name, password, email and display name.
Step 6: Next, click on ‘Go’ and your changes will be saved. Now you can login to WordPress using the new credentials.
The
same can be done by inserting a block of SQL code into the database.
Similar to the pirated theme, once the code enters the database, it will
run and a new user will be created. We can think of it as a hacker
simply creating their own door in your home and walking right in.
[Back to Top ↑]
How To Stop Hackers From Hacking Your Website?
There are four main steps you need to take in order to make your site secure enough to keep hackers at bay:
1. Install a WordPress Security Plugin
Every WordPress website needs a security plugin such as MalCare. Protect your WordPress site
with such a plugin that will scan the website regularly. It will spot
any suspicious activity, block malicious traffic and keep hackers out.
In the event a hacker does get in, you’ll be alerted immediately and you
can clean your website instantly before they can do any damage.
2. Install an SSL certificate
This
certificate will provide your website with data encryption. What this
means is that when someone visits your website, data is transferred
between their computer and your website’s server.
If it is
transferred in plain text, sometimes hackers who are lurking around can
grab that data. They can read it, steal it or modify it to their liking.
But if its encrypted, even if a hacker gets a hold of it, they won’t be able to decipher it.
You
can get an SSL certificate from your web host or from an SSL provider.
If you’re worried about spending too much on a certificate, providers
like LetsEncrypt offer free SSL.
To learn how to install an SSL certificate, take a look at this guide – Moving HTTP to HTTPS.
3. Fix Known Vulnerabilities
As
we mentioned earlier, there are common vulnerabilities in WordPress. We
recommend that you take the following measures to minimize
vulnerabilities.
- Updating WordPress and its themes and plugins must be top priority.
- Ensure you always use strong login credentials to avoid brute forcing attacks.
- Regularly delete unused themes and plugins
- Never
ever use pirated themes and plugins. Always download such software from
trusted sources like the WordPress repository, CodeCanyon or
ThemeForest.
- Use a reliable web hosting service provider.
- Keep your local computer protected by installing anti-malware software.
4. Harden Your WordPress Site
WordPress
recommends that every website on their platform takes certain steps to
harden their sites. Some of these measures include:
- Keep an active WordPress firewall.
This will help block Limiting the number of login attempts. Every user
gets only three chances to enter the credentials correctly, after which
they will have to opt for ‘Forgot password’ or contact the admin. You
can use the same MalCare plugin to implement this step.
- Disabling plugin installations
in case you have multiple users working on the website. You would want
to ensure no one installs a plugin freely without checking if they are
reliable and trustworthy to have your site. This can be done manually by
editing a file called wp-config.php in your WordPress install. You can
also use the MalCare plugin for this.
- Implementing 2-factor authentication
to verify the person logging in. This is done by sending a one-time
password to the registered mobile or email, or by using apps like Google
Authenticator that generate a real-time password every 30 seconds.
There are many more ways in which you can harden your website. It’s recommended to implement these steps as per your website’s requirements.
Besides that, you can take a few more security measures. We strongly suggest following this guide – Secure Your WordPress Site With wp-config.php.
[Back to Top ↑]
Final Thoughts
We
hope this article has given you a better understanding of how
vulnerabilities can appear on your website and how hackers get in.
Hackers aren’t biased and will target just about any site. If your site
is vulnerable, there’s a really good chance that you’ll be hacked.
So
to sum up, we recommend minimizing vulnerabilities, installing a
security plugin and hardening your website so that hackers don’t stand a
chance of getting into your website.
