Having your website hacked is one experience you wouldn’t like yet many people have had to deal with this one or more times. WordPress is the most popular content management system worldwide. This may be good, but it also means its the most attacked system due to this popularity.
When your wordpress site or the server you host your site on, has a weakness, a hacker will eventually find it and exploit it. Lets see how hackers go about their business of hacking your website. We will start with highlighting what many people get wrong about hackingM
1. Hackers only target ‘big’ sites, they have no business hacking small unpopular sites.
A statement can never be further from the truth than this one. Hackers like to hack any kind of website they can get their hands on. It may be a very popular website with 500k visitors per day or a website with 2 visitors a day. To get this better, you need to understand what is the motive of a hacker. Some hackers hack for fun, others because they want to blackmail you once they have your cornered, others just want to utilize your hosting space to perform other malicious things like phishing or spam. While others will hack sites so they can discover weaknesses and have developers fix it. Yes, not all hackers are bad.
Having said that, you will now understand why someone would be motivated to hack your site even when its the most unpopular site you have ever seen. Provided opportunity presents itself, there are many people out there who will enjoy intruding. In fact, according to studies on security, most hacked websites are small scale websites. This is because, individuals with just a need to have a blog online don’t think about security. On the other hand, big companies with a reputation to protect have security teams and premium security features employed to safeguard their websites and online infrastructure.
Therefore, be careful!
2. Once you create your site with with appropriate plugins/themes, you will always be secure.
Security is very dynamic. What is secure today, will be insecure tomorrow. Millions of security vulnerabilities are discovered ever single day. Internet security is a multi million dollar business. Get this right that, if any software doesn’t provide updates, it is insecure. Yes, some of the most updated software still fall prey to major security vulnerabilities. But if they didnt patch earlier security loopholes discovered, they wouldn’t even survive that long in the market. All plugins/themes and wordpress version must be regularly updated. If the plugins/themes you are using don’t provide updates in say two months, look for alternative plugins/themes.
3. When your site gets hacked, blame your competitor first.
Trust me, 95% of times a website gets hacked, your competitors have nothing to do with that. Most even don’t know what they’ll need to perform a successful hack or the desire to pay a hacker to do it for them.
So, having said that, how on earth does your site get hacked? Read on.
There are two sources of weaknesses that will expose your site to hacks – vulnerable wordpress installation or vulnerable wordpress hosting server.
Hacks via vulnerabilities in your wordpress installation
Your wordpress installation becomes vulnerable via plugins and themes. When you download a premium theme for free – cracked themes – you are preparing yourself for a hack. These themes normally have malicious code inserted in them that will allow a hacker (the one who cracked it) to gain access to your hosting account.
What if you use a genuinely bought wordpress theme or use a free theme which is trusted, how do you get hacked? When developers set themselves to develop something great, their main objective is one – make the software work. Rarely do they take the intensive time and resources needed to thoroughly test and see if there are any security loopholes in their software. Additionally, even if they did, software cannot always be safe – that is why they need updates. So, if a hacker discovers a loophole in a theme or plugin, they sit down and develop a script that will exploit the loophole. Then how do they get you?
You see, each wordpress theme/plugin has thousands, others millions, of users. Each of this themes always has something in common, some sort of design or wording that can make you identify it. So all a hacker needs to do is determine this unique identifier and run a script on Google to find out websites that have this identifier. Once they get their list, they run another script that makes the theme/plugin do something its not supposed to do. Eg, injects a code that makes it redirect to some other site. This could make them increase their traffic in that site and earn money somehow – ,maybe through ads.
Once a hacker accesses your site, they probably install a backdoor – some code that will allow them access to your website even if you remove the compromised theme/plugins. This is what makes the experience more tormenting for others. They struggle with the clean up only to be see the site hacked again in a short while. A good clean up must scan and remove back doors too.
Hacks via vulnerabilities on the server hosting your wordpress site
Its not always issues on your wordpress installation that cause your site to be hacked. The server hosting the wordpress website needs to be prepared well for the job. Otherwise, it would be like closing one door to a hall and to keep people out but leaving the other door open.
WordPress is a php system. Your first move to secure your server for wordpress will be to harden PHP. Some PHP functions are harmful in that they can be exploited to cause you problems. Such functions need to be disabled or highly restricted. There are more steps that can be followed to harden PHP to better secure your hosting server.
Additionally, basic server security measures must be taken to secure the server. This has nothing to do with the wordpress installation. It is simply an internet standard to apply some security features on any server, especially one accessible via the internet. For these, have a look at the following article on basic security measures for your server. If you use shared hosting, your provider should be able to handle the server security part for you.