If you are wondering why your wordpress site keeps getting hacked, or why you’re being targeted by hackers, we’ve compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Currently over 445 million websites are utilizing WordPress. With a make up of over 40% of sites on the web utilizing WordPress to some extent, it’s only expected for bad actors to take advantage of its popularity.
An attacker first tries to gather as much information as possible about a particular set of sites on a host or CMS. Once they’ve identified a target, they’ll proceed to exploit it by any means necessary, and then work to sustain the attack.
There are multiple methods of how WordPress sites are successfully hacked which we’ll elaborate on further, but many site owners wonder why they were a target of one of these attacks in the first place. The main reason is usually money, either directly or as part of a larger plan. Any method in which an attacker can make an economic gain is one of the driving factors opportunists turn to hacking methods.
For instance, an attacker can inject your site with a malware that utilizes a drive-by-download, so when visitors access the site they’re advised to download a fake piece of software which can infect their local system, and provide an attacker with full access.
There’s also credit card theft which is the most profitable kind of attack, and SEO spam campaigns where attackers prop up shoddy pharma and essay writing sites.
Another reason is based on hacktivism, which mainly targets political or religious organizations. Or simply, just boredom.
Predictable Login Credentials
A common type of attack known as a Brute Force Attack takes advantage of unprotected access to the wp-admin directory. This administrative panel gives users access to various actions that can be used on a WordPress website.
These types of attacks utilize password attempting tools which use a list of leaked passwords, attempting to predict any weak ones that may have been used. This can be used not only with wp-admin, but also the web host control panel, FTP accounts, SQL databases, or any email associated with the WordPress admin or the hosting account.
With such a wide variety of options for a hacker to choose from here, it’s important to never use a username such as “admin.” You should use additional security to access the WordPress admin section, such as enabling 2FA or requiring an additional password.
It’s also always important to use strong passwords for all users on the site. If you implement a Web Application Firewall, this layer of protection can also block any requests made to wp-admin, only permitting IPs from an Allowlist.
Insecure Hosting Environment
Some hosting providers offer inexpensive services, which may seem like a great deal. However, sometimes the cost savings come at the expense of the platform’s security.. At the very least, a hosting provider should be regularly monitoring their network, updating software, and limiting access to their infrastructure. Providing SSL support and additional security services such as monitoring and firewall will help as well.
If finding a reasonably priced, secure hosting provider seems a bit strenuous, a lot of WordPress users enjoy Managed WordPress Hosting. It’s essentially a concierge service where all technical aspects, such as backups, load time, scalability, uptime, etc. are managed by the host.
Different hosting providers interpret the word “managed” in different ways, so you will want to clarify with your prospective host the extent to which they will actually “manage” your environment.
Incorrect File Permissions and Plain FTP
File Permissions are a set of rules your web server uses to control access to the site’s files. If file permissions are set incorrectly, this can allow bad actors to write and execute things they’re not supposed to. By default, all WordPress files should be set to a value of 644, and folders should be set to 755. Anything above this is considered a higher risk to a site’s security. For a properly secured environment, the server PHP process needs to be isolated to the user that owns the files for the website.
File Transfer Protocol accounts (FTP) are used to upload, change, and delete files and folders from a web server. Most hosts will provide FTP, SFTP, or SSH connections to choose from. If your password is sent over port 21 (using FTP), it is unencrypted, which can put you at risk of being spied on and having your credentials stolen. Instead, using a Secure File Transfer Protocol (SFTP) or SSH is much safer.
Out-of-date CMS version, themes, and plugins
Outdated WordPress versions, themes, and plugins are a common culprit for infections. The older a version becomes, the more vulnerable a site is. One of the primary reasons updates are released is for bug fixes and security vulnerabilities. If you’re choosing to ignore these updates, an attacker can exploit this. If updating these things seems too time consuming, there’s always the option to enable them automatically.
Some site owners worry updates may break their site. If this is the case, there are backup services that can run before the update, and if something breaks, you can revert back to the previous version for tuntil site revisions are made.
Vulnerable themes and plugins
As we always say in the security industry, nothing is 100% secure. This includes even the most popular themes and plugins that exist. Keeping note of how often the plugin or theme developer releases patch notes is very important. Sometimes developers will abandon ship and that plugin/theme will be left in the wild, regularly exploited.
In one of my recent articles I discuss the most interesting vulnerabilities found in 2021. Some of these vulnerabilities mentioned were found with the CMS version or plugins/extensions.
It’s always important to keep plugins and themes up-to-date as much as possible, and also utilizing them to a minimum. The more third-party integrations exist, the more points of entry can be exploited. You should also never download plugins or themes from any unreliable sources, as they can be used to compromise your site’s security, or even steal sensitive data.
Accessing the wp-config.php file
The wp-config.php contains sensitive login credentials that are used to log in to the WordPress database. Most hosting environments block remote database administration, unless the requesting IP is allowed through cPanel/WHM. The details within wp-config.php are still very sensitive and best kept protected. Adding an extra layer of protection by denying access to this file is helpful in mitigating security risks. In order for this to work, add the following code to the .htaccess file:
<files wp-config.php> order allow,deny deny from all </files>
Once this has been added and saved, you should be okay.
In Conclusion
WordPress is one of the most popular CMSs out there for good reason. It allows a site owner to tweak a site beyond what an average website builder is capable of, and provide visitors with a visually appealing experience on their site. Like most things, convenience can come with risks, so it’s always important to consider both. From my personal experience, I’ve seen an array of WordPress vulnerabilities from site owners being too trigger-happy with the “install” buttons on their dashboard, to predictable users and configurations.
We’ve discussed some of the most common culprits when it comes to WordPress infections, and I hope you find them helpful. In one of our previous posts, I discuss what you should do if your WordPress site is hacked, and tips for better site protection moving forward.
Luke Leal
Joe Larson
Pilar Garcia
Tony Perez
Art Martori
Ben Martin
Krasimir Konov
Peter Gramantik
Rianna MacLeod