WordPress has become a common target for malicious hackers because it is easy to break into. Just last year over 170,000 WordPress blogs and websites were hacked, and for 2013 the number of hacked WordPress sites is expected to increase even more.
Why is it so when WordPress itself is a very secure platform? Let’s have a look at some statistics from last year’s incidents and learn from them so your WordPress is not the next target.
Learning from WordPress Hacking Facts
Below are the statistics from the 117,000 hacked WordPress sites reported during last year. I am using the word “reported” because not all website hacks are reported and made public. Typically the number of defaced and hacked WordPress blogs and websites is much bigger.
41% where hacked via their hosting provider. This means that the hackers exploited a vulnerability, or took advantage of insecure hosting provider configuration to be able to hack into the WordPress blogs and websites hosted by the vulnerable hosting provider.
29% where hacked via a vulnerability in the WordPress theme they were using. This means a hacker identified a vulnerability in a theme that was installed on the WordPress installation and by exploiting it, the attacker managed to gain access to the WordPress website.
22% where hacked via a vulnerability in a plugin that was installed on WordPress. The same as above, this means that a hacker exploited a vulnerability in an installed plugin.
8% where hacked because an account on that WordPress installation was using a weak password.
How to Hack a WordPress Website
After looking at the facts, let’s see how easy it is to hack a WordPress blog or website using a free tool called WPScan. WPScan is a black box WordPress vulnerability scanner; it can scan a WordPress website and identify known issues and insecure configurations. By launching a default WordPress security scan with WPScan against a WordPress site you will instantly find out the following:
- Which version of WordPress is runnning
- Which theme is installed, its version and the path where it is installed
- Which plugins are installed , their version and the path where they are installed
With WPScan you can also run several other advanced scans, such as a WordPress user enumeration scans where the scanner will identify and enumerate all usernames on the target WordPress website. This makes it easier for the attacker to launch a WordPress password brute force attack.
Thanks to these simple scans which only take a couple of minutes, a malicious hacker can:
- Login to your WordPress and gain admin access if any of your accounts were using a weak password
- Exploit a known vulnerability in WordPress if you are running an old version of WordPress to gain access to your website
- Exploit a known vulnerability in any of your WordPress plugins and themes if you are not running the latest versions.
As seen above it is really easy to identify problems within a WordPress installation, and maybe hack it. But then again, this is not a realistic scenario. Typically malicious hackers have automated tools that check a range of websites for known vulnerabilities and if any are flagged they are broken into. So in reality it is even easier than you think to hack a WordPress blog or website.
What Can Happen During a WordPress Hack Attack
Once a malicious hacker manages to gain access to a WordPress blog or website, he or she typically makes any of the following changes and more to try to hide the traces and retain access to the WordPress installation:
- Create a new account with admin privileges
- Reset a password of several accounts to ensure other users cannot regain access to their WordPress
- Change the role of an existing dormant account
- Change the content to inject it with malicious code
- Tamper WordPress source code files with malicious code such as backdoors
- Make redirects in htaccess files
If your database has been impacted, there are plugins to clean up WordPress databases.
How to Protect WordPress from Hack Attacks
As we have just seen, hacking a WordPress is very easy, and the good news is, so is securing it. By looking back and learning from the facts, here are some easy tips to get you started and improve the security of your WordPress website:
- Before choosing or changing the hosting provider make some basic research; check forums etc and see what other people, fellow bloggers and WordPress administrators think of the hosting provider you would like to use.
- Before installing a WordPress theme or plugin make some research and ensure that they are frequently updated and legit. Follow the guide How to Choose the Best Plugin for WordPress for more information about choosing the right and a secure WordPress plugins and themes.
- Remove or rename the WordPress default administrator account. If you are not sure how, follow this How to Change a WordPress username guide.
- Use strong passwords. By strong passwords I mean it should be at least 8 characters long, should not be a dictionary word or your dog’s name, should contain both upper case and lower case letters, numbers and special characters such as !,&, ?
- Keep your WordPress, plugins, themes and any other software you use UP TO DATE by always using the latest available version and by always applying the latest security patches provided by the vendor.
- Monitor the activity of your WordPress website and users with a security plugin such as WP Security Audit Log plugin. This plugin is similar to the Windows Event Log or Syslog on Linux/Unix; it logs all type of activity on your WordPress blog or website.
By following all of the tips above, the security of your WordPress will be drastically improved and your WordPress will be protected against the most common widespread attacks.
Taking WordPress Security a Step Further
There are several other things you can do to further improve the security of your WordPress. As already explained, the above are just the basics and should protect your WordPress from the most common widespread attacks, but if you have the budget and if your WordPress is the hub of your business, it is recommended to further beef up the security of your WordPress to ensure you are also protected from targeted attacks. For example you can implement two factor authentication on your WordPress, protect your wp-admin from zero days vulnerabilities with HTTP authentication, or follow an online WordPress security course. Frequent professional WordPress security audits are also recommended to ensure that your WordPress has no security holes that could be exploited by malicious attackers.
Keeping Up with WordPress Security
Security is not a one time thing or process, it is a never ending process. The things you do now and in the future might and will affect the security of your WordPress. But don’t fret, although it sounds like a daunting task that will haunt you forever, as you can see it is not rocket science. Strictly speaking, most of it is common sense.