58,701,915 WordPress sites in the wild. Due to popularity WordPress presents a large target.
Two primary types of malware attacks aimed at WordPress. Injections and Backdoors.
Your website code is injected with advertisements or links to another site. Typically adult or pharmacy sites. This code is usually hidden from normal display and only seen by Search Engines resulting in SEO Poison for your site. Drive-by-Downloads like fake virus scanning tool adverts & Iframes are also prevalent in this type of attack.
The successful attack places a shell script or back door on your server allowing them to access your site and run commands without needing to login. Typically used to spread an infection to other sites on the server, gain remote control of the system, send mass SPAM email, or cause other mayhem.
How do they get in? Three common attack vectors.
The system/server your website resides on may be configured incorrectly and is not following best practices for limiting access, client separation, or blocking nefarious requests.
The attacker has no need to ‘hack’ in as they have guessed or obtained your login and password. Attackers may login via FTP to place files, or login to your WordPress account to alter your setup as desired.
Outdated versions of: PHP, WordPress, themes or plugins may be vulnerable to certain types of attacks. Cross Site Scripting, MySQL Injection, Cross Site Request Forgery
The overwhelmingly vast majority of all attacks are automated. It’s hard not to but don’t take it personal.
Automated XSS (Cross Site Scripting) attacks jumped 69% in 3 months. [Firehost]
50% of all scanned URL’s by Sucuri’s SiteCheck service have malware or general security issues. [Sucuri]
3,844,879 Attacks blocked by the page.ly firewall’s over a 15 day period.
- 88% HTTP Signature Violation
- 8% Custom Rule Violations
- 2% Unknown Request Method
- 2% XSS, CSRF, SQLi, Other
So you got hacked, Now what?
- STAY CALM.
- Alert your host. They should take care of this for you, if they don’t find a new host.
- Start at all index.php files and move inward inspecting each theme/plugin file for code that looks out of place.
- Restore from your backup.
Nothing is 100% hack-proof, but you can make it more difficult.
Who you host with matters. If your site and time is worth more than $5 to you consider spending more than that to host it. Not every site needs an enterprise grade security appliance in front of it but every site owner should want that level of protection.
Take the time to learn the basics. There is plethora of public information available to help lock down your site against common exploits. Least privileged users, system configuration, ModSecurity. All are worth noting.
Firewalls are your best friend. One of the most effective ways of preventing an attack from pwning your site is stopping the attack from ever reaching your site. If your host does not run a legitimate firewall look at services like CloudFlare or Incapsula.
password123 is not a legitimate password. Try a pass-phrase, research has shown a 3 word phrase to be easy to remember and very hard to crack. Ex: the blue bird. Use a password manager application like 1password or LastPass.
Services exist to scan for damage and even clean up the mess. Sucuri, VaultPress and others were created specifically for this reason. Run your own servers? Look at applications like Maldetect and Savscan to sweep your file system for known malware signatures.
Backup all the things
The easiest & fastest way to recover from getting hacked is to restore from a clean backup. You should be backing up your files and database every night and keeping copies off site. That may not always be feasible but for all that is right in the world if you value your work you should back it up.
Is WordPress Secure? Absolutely.
Then why do WordPress sites gets hacked? Proportion of sites + Legacy Hosts + Vulnerable 3rd party code
Number of sites running WordPress is huge in proportion to sites running similar applications. Therefore it gives the false appearance of greater vulnerability.
Plugins & themes are contributed by the public, some are not coded to best practices and many are efforts of beginning/novice developers.
Legacy hosting companies are slow to adapt to the increasing severity of attacks leaving their customers and systems vulnerable regardless of what application powers the website.