Common Hack Attacks: You just launched your own WordPress site, and things are going well. It’s a simple website, and most of your readers, for now, are people you know. But soon, you notice that things aren’t quite right. There are weird pop-ups that you didn’t add. Or your readers complain that they’re getting redirected to other sites when they visit your site from their mobile devices.
Chances are that your website has been hacked. It doesn’t matter that yours isn’t an e-commerce site, or that it has no information worth stealing. The thing is, most of the time, attackers want to use the server your website is running on. They want to send out spam and do it from a location that can’t be traced back to them. There are several other reasons why a WordPress site gets hacked. Whatever the case, there is a list of common methods used to hack a website.
Common Hack Attacks on WordPress Websites
Here are some of the most common attacks you should be looking to protect your WordPress website against:
It allows attackers to access websites long after hacking the website. Backdoors are infected files that enable bypassing access controls. Files are used to reinfect and retain access. This is why many websites are compromised even after cleaning the hack.
2. Remote Code Execution:
When an attacker has access to the website’s admin system via malware installed on the website they can remotely execute codes on the hacked site. The code can be executed to do anything to the site, or to the server the website is on, or the computer from which the website is accessed.
3. Remote and Local File Inclusion:
Attacker takes advantage of vulnerable inclusion procedures to include files from a remote or local server. This can be avoided by implementing stringent input validation controls.
4. Broken Authentication and Session Management:
Whenever a user logs into a site, he or she is given a unique Session identifier (or Session ID, also known as a session cookie), that must be protected by SSL through the entire session, be random, and timeout as soon as the user logs out of the site. If the site has a weak authentication system, hackers can use this to assume the user’s identity. A weak authentication system has the following characteristics:
- Weak session IDs: Strong session IDs are a certain length, and use a good set of random characters. Using characters that are easy to guess, or using a short session ID opens up the website to a variety of Brute-Force attacks (more on this attack below).
- Session IDs exposed in URL: Session IDs have to be secret, they’re only to authenticate the user to the server. If your website discloses the session ID in its URL, anyone can assume the identities of users or even admins.
- Sessions not timing out: Sessions not timing out are an issue, especially since they provide a foothold for Brute-Force attacks.
- Session IDs being exploitable by fixation attacks: Fixation attacks are a type of Session-hijacking.
- Accepting weak usernames & passwords, accepting same passwords: Many site owners use easy to remember username like ‘admin’ and password like ‘password123’. Remembering a strong password is difficult and a lot of times, the same password is repeatedly used in a number of places which is risky because if a hacker gets their hand on that password, many of your accounts will risk compromise.
- Bad management of usernames and passwords: Storing usernames and passwords in unencrypted form prevent unauthorized access your credential. 2-factor authentication systems help. It adds an extra layer of security and involves two steps in verifying the identity of the person trying to log in.
5. Brute-Force Attacks:
The most common way of gaining access to a site is by brute force attack. It involves guessing the right combinations of username and passwords through repeated attempts. Hackers have a list of commonly used usernames and passwords which they use to break into a WordPress site. Following the best practices to prevent brute force attacks is necessary.
6. Injection Attacks:
Many hackers, utilizes an entry field to input malicious code. Injection is when attacker inputs command via special data entered into the input field. This tricks the website/web application into executing commands. All these attacks can be avoided by utilizing strict input validation procedures and in this way these attacks and File Inclusions are similar.
- SQL injection: It’s when an attacker inputs SQL command/query via input data, allowing access to the database, modify data on it and carrying out admin operations.
- Cross-site scripting (XSS): Type of injection attack. The attacker injects malicious scripts into good websites via a web application that accepts inputs. Web apps usually separate data and executable code before delivering to a user’s browser. But in this case, the input code is indistinguishable (example: when the attacker uses markup codes in the input field). User’s browser executes code, gives access to cookies, session tokens or even content on the HTML page.
- MIME confusion attacks: Also called Content-type confusion attacks. Uses web applications’ tendency to check file extension. Attacker uploads a file with the right file extension, which actually contains executable code. This opens up a door for XSS.
Also called UI redressing, it takes a user to a different action/different page from the intended button on the intended page that he/she clicked on. It’s done by creating web pages with transparent/opaque layers.
8. DDoS Attacks:
It sends a huge traffic to an online service from many sources, thus overwhelming it and making the site unavailable. Done via malware installed on users’ computers visiting infected websites. Infected computers become botnets. Botnets can be controlled remotely to generate traffic and users are usually unaware of the attack until their site goes down. Facebook’s Notes section had a vulnerability in 2014 that allowed readers to participate in the attack, unknowingly.
9. DNS Cache Poisoning:
It involves redirecting traffic to a different site by introducing malicious pages to a DNS. DNS caches pages for a short while to save time for future frequent requests. When affected DNS passes malicious page info, it gives out bad data to users, may return an incorrect IP address (mostly the hacker’s), via communication to/from another server. It’s dangerous because of its spreads from the server to server this way.
10. Drive-By-Downloads from Malware:
In this, the user is tricked into downloading a malware-loaded executable script, which then retrieves data from user’s computer. Malware used to create drive-by-downloads infected about 60% WP sites.
Usually on e-commerce sites that store financial information of users is targeted. Attackers use email or other means of communication to get data from the user or uses part of the website to install spyware that (malicious code that watches user’s data) performs one of following:
- collecting username and password for accounts on financial websites.
- searches and retrieves user’s PC for information from cache and cookies.
- pops-up when the financial website is opened, asking for username and password.
Hackers carry out symlinking hack attacks with the intention of getting root access to the entire server of the hacked site. If the site is on a shared server, they’d have a chance to exploit a large number of websites. In most shared servers, websites owners don’t have full access to their FTP. This limited access allows them to view the content of only their own home directory. That way other user’s content is kept safe. But symlinking enables hackers to access other websites on a shared hosting.
A symlink is a shortcut. A symlinking attack occurs when a hacker positions the symlink in such a way that the user thinks they’re accessing a certain file when they’re really not. What they are doing is giving the hacker a shortcut access that’ll allow them to browse the entire directory.
13. Common Plugin-Based Vulnerabilities on WordPress:
Plugin vulnerabilities are accounted for 25% of all WP-related hacks. All WordPress plugins develop vulnerability at some point. A developer may have written a bad code or there were unanticipated loopholes in the latest update. When a vulnerability is discovered in a plugin, a patch is quickly released in form of an update. When the site owners don’t update the themes and plugins of your site, they leave themselves exposed to hack attempts. The more popular a vulnerable plugin is, greater are the chances of a hack attack. Below, we have listed down some of the most common plugin-based vulnerability on WP:
TimThumb: The plugin allowed visitors to resize and serve cached versions of images from predefined, remote locations. It accesses the WP root directory. The vulnerability wasn’t in the plugin. Hacker would break restriction on remote locations accessed or upload a script to the cache directory, mostly via a shell script that would disguise the script. This would inject code into the WP directories and core files, and execute whenever blog page was injected. This is a kind of Remote Code Execution attack.
RevSlider: Patched in 2014, it allowed attackers to install a ‘Filesman’ backdoor via the Revolution Slider plugin (plugin to create carousels and sliders). It allows access to files and is hidden in file-system, which makes it difficult to find unless server logs are accessed.
Arbitrary File Upload (via Gravity Forms): Also called Unrestricted File Upload. Attacker bypasses access control of an app and uploads a file to a function of the app that accepts uploads (in case of WordPress, via the Gravity Forms plugin). Can be used to take over the complete website, or even computers. Once access is taken, the attacker can overwrite critical files, fill up storage of the app with files, or store files in an incorrect location. The vulnerability was patched. This was a sort of Remote File Inclusion and execution attacks.
In upcoming posts, we’ll be taking up each of these common attacks individually and discuss them in length. We hope that this list of vulnerabilities helped you understand why website security can no longer be an afterthought.