Security Weekly

How do WordPress sites get hacked? (Part 1)

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 2

Last week we talked about what motivates cyber criminals to automate attacks against websites to gain unauthorised access. Now, as we know what their motivations are, let’s look into how they do it.

As mentioned above, majority of the attacks against websites are completely automated. Attacks are often automated against every known domain and IP, so the more common the weakness, the more websites they are able to compromise.

This aligns well with the top 2 motivations we described last week. Monetary gain and exposure. In both of those cases, a single small website might not provide much monetary value nor exposure, but thousands of websites together do.

How WordPress sites get hacked?

There can’t be a better timing for this topic as a dear member of TAB community Thomas J. Raef released his research on this topic just last week. His research covered logs of over 4 million websites and the conclusion is similar to what I’ve covered in Patchstack blog back in 2021. While the categories of attack vectors have remained similar, the volumes of each change over time.

Since I can’t “fit” all of the reasons into a single post – let’s focus on the most common reason first.

Compromised privileged accounts

Cybercriminals use all means possible to gain access to your WordPress administrator account. Once they have access, they can easily install a fake (or vulnerable) plugin to then upload malware.

These are the most common ways how hackers get access to the WordPress admin accounts.

Session hijacking

After you’ve logged in to your website, it saves a session cookie to your browser. This allows you to authenticate back to the site, without the need to log in again. It’s great for convenience (especially if you use 2FA), but it also poses equally great risk in case it gets leaked.

Since multi/two factor authentication (MFA/2FA) has become rather popular and many services even force users to set it up – hackers have started to look for a better alternative to leaked username/passwords and brute-forcing.

For hackers, being able to hijack sessions is so much better, no need to log in and therefore 2FA is bypassed as well. To obtain session cookies however, the hacker needs to have access to the device where the initial login happened.

This is where also the cyber criminals cooperate. Cyber criminals who focus on infecting devices, browsers, laptops, phones, etc. install an info-stealer malware, which collects as much valuable data as possible (such as session cookies) that will then be sold in different marketplaces.

Leaked credentials

Unfortunately, majority of the people still use the same email and password on different websites. Due to some poor security practices, many of those websites also store this information in plaintext.

As soon as one of those websites is being compromised, the hackers can then access all your other accounts where the same username/email and password was used.

Such username/password “dumps” are one of the most common things sold in different marketplaces. They have been used to gain access to many large companies. In fact, it’s entirely possible that one of your old email/pass has already leaked years ago. You can check it here: https://haveibeenpwned.com/

Brute force attacks

This is possibly one of the most widespread (in volume) attack, but at the same time has arguably the lowest success rate. It’s safe to say that brute force attacks are being performed against every publicly available login page on the internet.

The bots that have been set up to perform those attacks rely mostly on different word lists. These include millions of combinations of made up usernames and passwords. Many of such word lists also include the usernames and passwords that have been leaked, which are then mixed & matched into even more combinations.

Brute force attacks are very easy to identify, so they are mostly launched from a large network (botnet) of previously compromised websites to avoid being blocked by rate-limiting.

Phishing

Another way hackers can steal credentials is via phishing. They set up an identical login page of a website that they wish to get access to, and then use social engineering to trick an administrator to log in via this fake page.

Phishing is very common and compromised websites are often also used to host different phishing pages. In a more targeted attacks, hackers can also register similar looking domains to make it harder for administrators/users to spot the URL difference.

Conclusion

Think about the accounts you have that could give control over your website. That’s not just the WordPress admin account, but also your hosting account, FTP/SFTP creds, and perhaps even the WordPress management tool that allows you to remote manage your website.

Security starts from you, which means that small everyday decisions can play a significant role on how secure your website will be. If you’re not careful with emails and links + don’t double check what you download & run on your phone or computer, then the hackers might not even need to attack your website to take it over. Keep in mind that hackers are always after the lowest hanging fruits first.

Next week, we’ll dive into the second most common reason why WordPress websites are getting hacked, which is software vulnerabilities.

PS! Don’t worry, later in the series, we will also dive into methods and resources on how you can protect yourself (and your website) from such attacks.

Resources:

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 8

WordPress Security on Server Layer

Last week we talked about WordPress security on the network layer (with Cloudflare as an example). …

Week 7b

WordPress Security on the Network Layer

In the last post, we covered different layers of the WordPress attack surface. Security should always …

Week 6

How to map the WordPress attack surface?

Before you can start setting up any security measures, you should have a clear understanding where …