Editor’s Note:
This post is from our archives, and not all content is still relevant. For a fresh look at our company & tech, we recommend these sections:
Text:
WordPress Security
58,701,915 WordPress sites in the wild. Due to popularity WordPress presents a large target.
Two primary types of malware attacks aimed at WordPress. Injections and Backdoors.
Injections
Your website code is injected with advertisements or links to another site. Typically adult or pharmacy sites. This code is usually hidden from normal display and only seen by Search Engines resulting in SEO Poison for your site. Drive-by-Downloads like fake virus scanning tool adverts & Iframes are also prevalent in this type of attack.
Back Doors
The successful attack places a shell script or back door on your server allowing them to access your site and run commands without needing to login. Typically used to spread an infection to other sites on the server, gain remote control of the system, send mass SPAM email, or cause other mayhem.
How do they get in? Three common attack vectors.
Environment
The system/server your website resides on may be configured incorrectly and is not following best practices for limiting access, client separation, or blocking nefarious requests.
Administration
The attacker has no need to ‘hack’ in as they have guessed or obtained your login and password. Attackers may login via FTP to place files, or login to your WordPress account to alter your setup as desired.
Vulnerabilities
Outdated versions of: PHP, WordPress, themes or plugins may be vulnerable to certain types of attacks. Cross Site Scripting, MySQL Injection, Cross Site Request Forgery
The overwhelmingly vast majority of all attacks are automated. It’s hard not to but don’t take it personal.
Automated XSS (Cross Site Scripting) attacks jumped 69% in 3 months. [Firehost] 50% of all scanned URL’s by Sucuri’s SiteCheck service have malware or general security issues. [Sucuri]
3,844,879 Attacks blocked by the page.ly firewall’s over a 15 day period.
- 88% HTTP Signature Violation
- 8% Custom Rule Violations
- 2% Unknown Request Method
- 2% XSS, CSRF, SQLi, Other
So you got hacked, Now what?
- STAY CALM.
- Alert your host. They should take care of this for you, if they don’t find a new host.
- Start at all index.php files and move inward inspecting each theme/plugin file for code that looks out of place.
- Restore from your backup.
Nothing is 100% hack-proof, but you can make it more difficult.
Prevention
Who you host with matters. If your site and time is worth more than $5 to you consider spending more than that to host it. Not every site needs an enterprise grade security appliance in front of it but every site owner should want that level of protection. Take the time to learn the basics. There is plethora of public information available to help lock down your site against common exploits. Least privileged users, system configuration, ModSecurity. All are worth noting. Firewalls are your best friend. One of the most effective ways of preventing an attack from pwning your site is stopping the attack from ever reaching your site. If your host does not run a legitimate firewall look at services like CloudFlare or Incapsula. password123 is not a legitimate password. Try a pass-phrase, research has shown a 3 word phrase to be easy to remember and very hard to crack. Ex: the blue bird. Use a password manager application like 1password or LastPass.
Detection
Services exist to scan for damage and even clean up the mess. Sucuri, VaultPress and others were created specifically for this reason. Run your own servers? Look at applications like Maldetect and Savscan to sweep your file system for known malware signatures.
Backup all the things
The easiest & fastest way to recover from getting hacked is to restore from a clean backup. You should be backing up your files and database every night and keeping copies off site. That may not always be feasible but for all that is right in the world if you value your work you should back it up.
Is WordPress Secure? Absolutely.
Then why do WordPress sites gets hacked? Proportion of sites + Legacy Hosts + Vulnerable 3rd party code Number of sites running WordPress is huge in proportion to sites running similar applications. Therefore it gives the false appearance of greater vulnerability. Plugins & themes are contributed by the public, some are not coded to best practices and many are efforts of beginning/novice developers. Legacy hosting companies are slow to adapt to the increasing severity of attacks leaving their customers and systems vulnerable regardless of what application powers the website.
Credits
Pagely is Secure WordPress Hosting. Think of it like The Ritz Carlton meets Fort Knox. We secure and Manage WordPress for thousands of customers and big brands you know and trust. Some data provided by Sucuri. Malware detection, alerting, and cleanup for all manner of websites.
Outstanding advice anyone who does not take this into their decision to post their WordPress website will be regretful maybe not now maybe not tomorrow but before they’re done with that particular host they will be regretful. Having your website hacked can mean tens of thousands if not hundreds of thousands of dollars of damage Depending on size and type of your website. If were talking about an Amazon.com I can’t even imagine the number. However if you make your living from an e-commerce website you should take it seriously as It is your livelihood that’s In jeopardy If you actually make your money on the web There’s no excuse not to invest in security and speed.