WordPress – a honeypot for hackers

WordPress is a tool for creating and managing websites. It was created in 2003 as a simple tool for managing a blog or very simple website.

A Forbes report in Dec 2016 estimated that there are 75 million sites or about 25% of all sites on the internet using WordPress. (https://www.forbes.com/sites/montymunford/2016/12/22/how-wordpress-ate-the-internet-in-2016-and-the-world-in-2017/#53eae82a199d)

Security is also becoming a major issue with continuous increases in cybercrime activity.

So it’s not surprising that the topic of WordPress Security is an important one.

To understand WordPress security issues, you do need to know a little about how WordPress works and is used.

WordPress is distributed free of charge and free of copyright via an open-source license. (there is a commercially hosted version which is related but not the subject of this discussion).

The core WordPress code has very few features – it simply provides the ability to log in and update blog posts and pages and virtually nothing else.

Common website functionality such as:

  • Social media integration
  • SEO tools
  • e-Commerce
  • Feedback forms
  • Mailing lists
  • Image galleries and slideshows and sliders
  • Video content
  • Advanced membership options

are not provided by WordPress.

But the developers of WordPress did make a very smart architectural decision early on – they made it possible, and quite easy, for third-party developers to build ‘plugins’ that can add functionality and ‘themes’ that could change how WordPress looks.

While the core of WordPress has remained largely unchanged since it was created, there are now an estimated 47,000 WordPress plugins (https://torquemag.io/2016/10/13-surprising-wordpress-statistics-updated-2016/)

So WordPress is promoted and seen as a simple solution for non-technical people to be able to build a website with thousands of features available.

This has given rise to a “wild west” of developers creating plugins and millions of users with little or no technical skills installing and using WordPress and it’s plugins.

Many of the people using WordPress are small business owners or bloggers who have no technical skills, and even many of the agencies that build WordPress sites for their customers are designers who have very basic technical skills. The vast majority of people using WordPress simply don’t have the skills necessary to identify vulnerability issues or resolve them.

Hackers know this and see WordPress as the perfect target.

Recent stats from just one WordPress firewall system recorded 130 million attacks in July 2017 (https://www.wordfence.com/blog/2017/08/july-2017-wordpress-attack-report/)

Why do hackers want your site?

I often hear people say “there is nothing valuable in my site, nobody would want to hack it”. But that is not correct.

Hackers are not interested in what is on your site. Very few hacks are targeted at specific sites for their content.

They hack WordPress sites so that they can use your hosting account and domain to run their activities. Hackers are constantly trying to achieve anonymity and hide from authorities, so they need to run their activities on domains and hosts that are not tied to their identity.

Hackers are parasites – they actually go to quite some effort to make sure that you don’t know that your site has been hacked. In many cases, they will leave your site and all it’s content to run smoothly. Their aim is to break in and install their code, and then launch other attacks such as phishing content, chatbots and mass mailing, from your domain.

For this reason, in many of the intrusions that I have been called in to investigate, I find out from logs that it actually took place many months or even years before.

In most cases, the site owner is alerted of the intrusion because Google blocks their site or the hosting company suspends it due to odd activity, rather than actually discovering the intrusion.

Plugins are the primary source of vulnerability

The massive number of plugins has contributed to the incredible success of WordPress, but it is also the source of the major security issues for WordPress.

The quality of these plugins varies dramatically and is generally uncontrolled and extremely difficult to measure. Virtually every vulnerability ever discovered in WordPress has come from plugins.

Probably the most famous one was the Panama Papers breach in 2016 – (https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/) leading to the downfall of the Prime Minister of Iceland and involved Russian President Putin and British Prime Minister David Cameron – this came from a plugin called “Revolution Slider” which added slide-show functionality.

Some plugins are developed by highly skilled teams and they are maintained constantly with regular updates and improvements to plug security holes. But the vast majority of the plugins are poorly written and poorly or never maintained.

Hackers know this and they have automated their attacking procedures. They have developed bots that scan the internet for WordPress sites, then scan the WordPress sites for known weaknesses.

Poor user practice is the second source

The other very common source of vulnerability in WordPress comes from very poor security practices of users. Mistakes include:

  • accidentally leaving setup scripts behind after installing
  • not changing usernames from default settings
  • not using adequately complex passwords
  • not removing logins when staff leave.
  • providing too promiscuous permissions to users

Again, attackers use automated tools to simply brute force guess passwords.

I host many WordPress sites and it is very common to see server logs showing 30,000 login attempts per day on a standard WordPress site.

Bots scanning WordPress sites account for over 90% of all traffic on our servers.

Brute Force attacks account for about 85% of all attacks (https://www.wordfence.com/blog/2017/08/july-2017-wordpress-attack-report/)

What should you do?

By the time you discover you have been hacked it is way too late.

There is no cure – prevention is the only solution. Once your site has been hacked, the only viable option is to delete everything and rebuild from scratch.

This is because the intruders leave multiple pieces of code that allow them to get back in, and it is virtually impossible to scan and clean a website. You can try to do so, but you will end up spending many dozens of hours and most likely fail anyway. The cost of cleaning a site is usually much more than the cost of rebuilding.

So, in order to prevent intrusion there are a number of things you should do:

  1. Usernames and Passwords: The default username for WordPress is ‘admin’ – always change this and always use a complicated password. If you need to give someone else access to your site, do not share your login, create a new user account for them. And then remove or deactivate accounts that are not required any more.
  2. Manage Plugins: Use as few plugins as you can possibly get away with given the requirements of your site. Always deactivate and completely delete any plugins you are not using.

A typical site should only require fewer than 5 plugins, a more complex site may need 10-15.

When choosing plugins, try to find ones that are very commonly used and frequently updated. The WordPress plugins listing will give you some clues in this area with usage and update statistics.

Always update plugins regularly – most well-maintained plugins are updated monthly. So assuming you have 10 plugins on your site, you can expect about 8 updates per month. This is an ongoing process that never stops and must be performed. You can not just build a site then sit back and leave it.

Only 40% of all WordPress sites are running the latest version (https://torquemag.io/2016/10/13-surprising-wordpress-statistics-updated-2016/)

  1. Install supporting plugins: Ironically you actually need more plugins to achieve a robust solution. I always recommend using two particular plugins:

Backups: BackupBuddy (US$80/year) – this plugin can be configured to perform off-site backups regularly and the backups are particularly easy to restore. You can also invoke a backup quickly at any time.

Firewall: WordFence (US$99/year) – this plugin provides a number of protection functions such as

  • monitoring your site and alerting you if updates are required,
  • blocking site access if a user attempts multiple logins or password resets
  • blocking specific countries from the login page
  • monitoring password strength
  • monitoring unusually connections and blocking them quickly.

Both of these plugins are commercial and while you can find some free alternatives that perform reasonably well, in my experience, none of them is really adequate for the job.

Note: the two products that I’ve listed – BackupBuddy & WordFence are ones that I’ve used many times and trust, but I know that there are also other similar backup and firewall products that are equally as good. The main point is that I think these two functions are vital for the management of security of a WordPress site.

Take home message

99% of the time, WordPress security comes down to ongoing effort.

The effort to ensure that logins are managed well and effort to maintain your site’s software on a regular ongoing basis.

If you are not doing the updates or paying someone to do so, then your site is very likely to be running vulnerable code.

While WordPress is free, the reality is that over the cost of hosting, you really need to invest in some commercial plugins and possibly also engage ongoing support (if you are not in a position to do the work yourself).

So the true cost of a WordPress site must take these ongoing expenses into account. If you are reticent to make the investment, then consider the cost of having to rebuild your entire site and the cost of the interruption to services and your reputation in the event of a hacking.

In 2017 I recorded a podcast on this topic with Flying Solo.