WordPress Flaws and Vulnerabilities

How A WordPress Website Gets Hacked

Blog WordPress Flaws and Vulnerabilities How A WordPress Website Gets Hacked
1 comment

There is so many ways to hack a WordPress Website, pirates already know it better than anyone else. But do you know it too? Do you know against what you need to be protected?

It’s important to learn how a website can be broken, stolen, how intruders can take your place.

Here’s some stats from our clients since 2010:

  • 60% of hacked people don’t even know what happened,
  • 25% of pirates exploited a vulnerability in a plugin or theme,
  • 6,5% came with your password, found by brute-force,
  • 3% used a flaw from the WordPress core not updated,
  • 1,5% get hacked because of their host provider,
  • 0,6% of websites still had old installation files,
  • 0,5% because of bad files permissions (chmod),
  • 0,5 because of a stolen password (without brute-force)
  • 0,4% sharing other reasons like computer without antivirus, answer to a phishing mail, outdated server softwares or FTP software, etc
Hacking Statistics since 6 years

Hacking Statistics since 6 years

Don’t Know What Happened

This is badly common, but for more than a half of WordPress hacked websites – 61% –, the source of the issue is not clear. It’s even difficult to know how it happened, where is the entry point, where are the hints, who and why they did that. Webmasters were just victims of hackers, hacking websites.

In those cases, the work to try to know the reasons of the hack is too big and too expensive for a client to work on.

And if it happens to you a day, I recommend you to don’t waste your time, what happened is really bad, but use this time to secure your website instead of doing this useless investigation.

A Plugin or Theme is Vulnerable

Without plugins or theme, WordPress wouldn’t be what it is today. We all need these additional components so every website can respond to a need. The number of plugins is growing everyday, everybody can be an author, regardless of their development skill.

Keep Up to Date

The first thing to know with plugins and theme is to be up to date. We always say that but it’s very important, don’t forget the goal of the updates, correcting bugs, adding new features but also patching security vulnerabilities!

can tell you with its scanner which plugins and themes are not up to date

SecuPress can tell you with its scanner which plugins and themes are not up to date

Trust

Don’t rely on plugins which weren’t updated since 2 years at least, neither the ones without a good support, or too few downloads when the author isn’t known yet.

This trust has to be earned, it is possible that this plugin with 10 downloads done by a new author is perfect, but wait that the trust has been brought by the community.

Downloads

For the free ones, prefer plugins from the official WordPress Repository because it’s examined a minimum by Mika and Otto whom doing a great job on that (see “How to Review a Plugin” on wordpress.tv).

If it’s a premium one – so it’s not in the repo – don’t try to find it using search engines because they will find it on warez websites. This is the best way to get a WordPress Hacked Website.

What you’ve earned with this fake free product is null besides what you’ll have to do, and pay to get your website back on its legs again.

Uploads

With WordPress it’s possible to send plugins using the admin area, with a simple .zip file, and it’s done! But, this file can contain any code and will still be installed. Here’s the best way to get a WordPress Website Hacked.

The best way to be secure is, again, to only use plugins from the repository and for premium ones to use a secure FTP.

SecuPress disallows the .zip upload, possibly dangerous

SecuPress disallows the .zip upload, possibly dangerous

Brute-Force on Passwords

Brute-force is a way to rob passwords, mainly the short or weak ones like azerty or your_birthday like.

Usernames

Don’t use common usernames like admin or administrator or even your usual name/nickname. To launch a brute-force more easily, the good thing is to know the login, if yours is complex like i_was_born_admin_in_1979%%% it’s more difficult to get in, also create an email address dedicated to this admin account.

SecuPress disallow the usage of usernames in blacklist

SecuPress disallows the usage of usernames in blacklist

Move the Login Page

By moving the login page, bots can’t even try to log in, blocked since the first try they will stop by themselves, without any risks for you.

SecuPress moves the login page to avoid bots reaching it

SecuPress moves the login page to avoid bots reaching it

Double Authentication

The best result is done with a Double Authentication because even with the password, the attacker will still need a second layer of authentication, making your website impossible to hack.

SecuPress sends you a special link in your mailbox to log in

SecuPress sends you a special link in your mailbox to log in

WordPress Flaw

Sometimes, it happens, WordPress contains a vulnerability. The big advantage is that we heard it when it’s already fixed, making WordPress the most secure CMS for us.

Now, it’s up to you to stay up to date, once again. Without this update, you’ll take a huge risk because the flaw is now disclosed, shared, known from everyone, pirates can now hack WordPress Websites.

Host Providers Fault

It happens that the hack is not your fault but your host provider one’s. The attacker used another way to sneak into your website : your host provider. You have to choose a good host provider known for his quality and security, i personally recommend you SiteGround.

Old Files in WordPress

Did you know that since WordPress 2.0 some files were deleted from the core? If your website is up to date using the automatic installer, perfect. If, like me, you’re doing it using SFTP or GIT, you’re just copying files without any deletion, keeping the old files.

The issue is that those useless files can contains security flaws, this is why it’s important to delete them.

SecuPress detects and deletes old WP core files from older installations

SecuPress detects and deletes old WP core files from older installations

Bad Files Permissions

File and folders have permissions, reading, writing, execution, one or two or both. I’m talking here about chmod, the UNIX command you may heard about to change the perms on files.

It’s dangerous to use the 0777 value because it allows everything, read, write, execute at the same time.  Correct values would be 0644 for files and 0755 for folders.

SecuPress tells you which files and folders don't have the correct permissions

SecuPress tells you which files and folders don’t have the correct permissions

Stolen Passwords

Here, it’s your turn, you have to use a strong password. We already talked about that, i invite you to read again our post on strong passwords.

Also, if you got members, it could be great to be sure they’re using strong passwords.

SecuPress can force your users to set strong passwords

SecuPress can force your users to set strong passwords

Tips

Quick list of security tips because you also have to care about not visible things like:

  • Use an antivirus on your computer,
  • Don’t use unknown networks specially in train stations or restaurants,
  • Don’t share your admin account,
  • Don’t answer to email asking for personal information,
  • Use a secure FTP or SSH instead of a simple FTP,
  • Disconnect from your admin account when job’s done.

 

What about you, did you already live the hack of a WordPress Website?

Stay tuned for more

1 comment

Hi,
Regarding the file permissions, after secupress autofix, WP core can’t be updated from the Dashboard. Is this intentional or some bug?

Leave a Reply