Recently we have experience more security threats and cyber attacks to our websites. For all our clients websites, we have download and use security application Wordfence and trialed another paid application SiteLock. Both of them have pros and cons, different cost structures and functions. In this article that we resourced from WordFence, it gives you an introduction to security with some basic concepts:
- Who is attacking your WordPress website
- Why they attack and
- How the attacks are carried out.
Why we use WordPress to build websites?
As WordPress is the most popular publishing platform in the world. It runs over 24% of all websites worldwide. WordPress is also open source. What this means is that the code that runs WordPress is visible to everyone. Because it powers so many websites, it has become a target for hackers who want to infect or control websites.
1. Who is Attacking my WordPress Site?
In general there are three entities that attack WordPress sites:
- Humans: This is a person sitting at a keyboard manually probing and attacking a website.
- A Single Bot: This is a single automated program or script that a hacker is using to attack many sites in an automated way.
- A Botnet: This is a group of machines running programs that are coordinated from a central “command and control” server (C&C server) that are attacking many sites in an automated way.
Having an individual human manually attack your website is rare. We all like to think we’re special and that our site is interesting enough for someone to give us the kind of individual attention we deserve. The truth is that a very small percentage of websites are targeted individually and an even smaller number have a live human trying to break in.
However, if you are targeted by a person, the level of sophistication of the attack is far greater than when you are targeted by a robot. A human attacker is able to control the speed at which they gather information about your site to avoid tripping any intrusion detection. They can then try a few attacks while being careful to not alert you and the systems that protect your site. They see the results of each individual attempt and can make decisions about how to proceed based on these results.
Most attacks involving a live human target very important websites including defense contractors, sites that contain sensitive private data and those that are financially very lucrative to attack.
Bots and Botnets
Bots are programs written by hackers that target a large number of websites looking for vulnerabilities in well known software like WordPress. It is relatively easy to write a program that visits hundreds of thousands of websites quickly checking if they are running a version of WordPress with a known security hole and, when found, to hack into (exploit) the site using that security hole.
Bots can be an individual program running on a single machine or a large number of machines running multiple versions of the program all trying to hack into a huge number of sites in parallel – also called a “Botnet”.
The vast majority of attacks on WordPress websites are performed by robots. The good news is that these attacks are not as sophisticated as human attacks and are also more aggressive. This makes them easier to detect. The bad news is that if a zero day vulnerability emerges for WordPress or a well known theme or plugin, it can be exploited extremely quickly through these kinds of automated attacks leading to a large number of sites that are compromised.
Important to Note: Most attacks are performed by Bots or automated machines. Because bots are so fast and effective at attacking large numbers of sites, it is very important that you close known security holes on your WordPress website as quickly as you can.
2. Why are they attacking my WordPress Site?
The goal of an attacker is to gain control of your WordPress website at an administrative level. This means that they can read all files and data in the database on your website. It also means they can modify files, make changes to the database and change the way your website behaves and the content it serves. They want to be able to do this for some of the following reasons:
To send spam: To be able to send spam email from your website. Hackers can run scripts on your website that bulk email their targets once they control your site.
To host malicious content and avoid filters: Hackers may use your site to host content like pornography, illegal drug sales or other spam content. Hosting bad content on a domain that does not yet have a bad reputation helps them avoid spam and other online filters.
To steal your website data: To access and harvest the data on your website including your customer and member email addresses and names. Stealing thousands of email addresses of your website members provides hackers with new targets to send spam and malicious email to. You may also have other interesting data like personal member information that can be useful in identity theft and other malicious activities.
To Spamvertize: To use your website to redirect traffic to another malicious or spam website. Including their own website in spam emails will land those emails in the spam folder if the website is known to be malicious. By including your website address in spam emails instead, the emails avoid spam filters. Then when someone who receives spam clicks on the link to your site, they are redirected to the malicious website. This is called ‘spamvertizing’.
To attack other websites: Once your website has been compromised, a hacker can use your site to run bot attack scripts that hack into other websites. Your website may become part of a cluster of machines called a ‘botnet’ which is a large group of machines used for bulk malicious activity.
Important to Note: Once your site has been compromised it will very likely be used for malicious activity. This has a high probability of ruining your website reputation. It will be penalized in the search engine rankings and may be blocked by browser filters like Chrome and the Google Safe Browsing list. For this reason it is important to detect a hack early and fix it quickly.
3. How to Protect Yourself
It is probably clear at this point that to best protect yourself from attacks, it is very important to keep your website up-to-date and to keep abreast of the newest WordPress related vulnerabilities. This will allow you to update your site as soon as possible when a new vulnerability emerges. In cases where a zero day is announced, you will know to contact the vendor and work closely with them to find out when a fix will be released and apply that fix.
Intrusion detection and prevention software like Wordfence for WordPress also helps protect against common attacks. Wordfence also detects if your site has been compromised and, as you have learned, early detection is key to help preserve your online reputation. Wordfence also protects against common PHP attacks so that, even if you are running a vulnerable plugin and haven’t had a chance to upgrade yet, Wordfence will prevent that vulnerability from being exploited.
Here are a few key rules to observe to keep your site secure:
- Use strong passwords for all user accounts.
- Choose a reputable hosting provider where websites on shared servers are isolated from each other.
- Keep WordPress core, your themes and plugins up-to-date.
- Use an intrusion detection and prevention system like Wordfence as an additional layer of security.
- Remove all old and unmaintained web applications including old backups of the site from your website.
- Ensure there are no sensitive temporary files lying around on your web site.
- Ensure there are no subversion, git or other repository files publicly accessible.
We hope this article has served as a helpful introduction to WordPress security.
We like to advocate to all our clients to get Wordfence premium version. Ask us to activate your premium license at US$3.25 per month.