WordPress sites are often compromised by hackers who exploit vulnerabilities. In fact, there are around 90,000 attacks on WordPress sites every minute.
If they’re successful, they can use the website to run all kinds of malicious activities – steal customer data, sell illegal products, send spam emails (read – phishing hack), dupe customers into downloading malware, using black hat SEO techniques to rank their own products (read – pharma hack), insert backdoors – the list goes on.
For a website owner, getting hacked is not just bad news, it’s a nightmare! And it can happen to any site – big or small. It’s interesting to note that smaller sites think that hackers won’t come after them. But in reality, such sites are easy targets and are preferred by hackers.
If your site gets hacked, you have much to lose. Your customers won’t trust your site anymore, your sales and revenue will take a hit, and you could even be blacklisted by Google, and suspended by your WordPress web host.
If all this has you worried about your site’s security, we’ve got you covered. In this article, we’ll get behind the psychology of hackers and understand the ways in which they hack websites. After that, we’ll cover ways to neutralize them as well.
Hackers have a legion of hacking methods at their disposal using which they’ll try and gain access to your site. Use MalCare Hack Prevention Plugin to keep hackers at bay. MalCare will proactively defend your site against hackers, alert you of any intrusion, and help you remove any kind of infection.
Before we begin to show you how and why hackers hack sites, you need to understand the structure of your WordPress website. It is made up of files and a database. WordPress files mostly contain all the settings and configurations, while the database stores all the data of posts, comments, users and a bunch of other things.
Both elements are required to generate the frontend of your website. But both can also be exploited by hackers.
First, let’s take a look at how hackers get inside WordPress sites.
Note: This is not a guide on how to hack a WordPress website. It is an educative article to show you how hackers can exploit vulnerabilities to hack your site. That said, let’s begin.
6 Common Vulnerabilities That Enable Hackers To Hack WordPress Sites
To hack a website, it should have a point of vulnerability. We’ve listed out the common vulnerabilities found in WordPress websites:
1. Running Outdated WordPress Installation
Around 44% of hacked WordPress websites were running on outdated installations according to a 2018 report. As a website owner, you will see frequent updates available to the WordPress installation, like so:
Usually, updates carry new features, bug fixes, or resolve incompatibility issues. Sometimes, they also carry WordPress security patches. This means if a security flaw was found in the software, the developers quickly fix it and release an update that will remove the flaw.
Once released, the presence of a wp security flaw is made known to the public. Hackers then seek out websites that haven’t updated, find the flaw, and use it to hack into the site.
So if you choose not to update your WordPress installation, then you haven’t installed the new security features and you’ve given your website on a platter to the hackers.
Tip: Security patches are rolled out as minor updates. You can tell if it’s a major update if it’s V5.2 or V5.3. A minor update would be V5.2.1, for example. By default, minor updates are automatic, but you can turn it off. We recommend keeping the auto-updates option turned on for minor updates.
Besides keeping your plugins, themes, and core updated, we strongly suggest that you keep your WordPress salts and security keys updated.
2. Using Weak Credentials
Another common point of entry for hackers is weak credentials. Hackers use a method called brute force attacks where they program bots to scan them for WordPress sites on the internet and attempt different combinations of usernames and passwords to break into the website.
If you’ve left your login name as ‘admin’, they’re already one step closer to gaining access to your site. However, if you’ve used common passwords like ‘password123’, then it’s easy for them to guess it. These bots can make thousands, if not millions of hacking attempts in just a second (recommended read – WordPress login page protection guide).
We recommend changing the password to a passphrase in combination with numbers and symbols to make your password strong as ever like so:
3. Having Pirated Themes Installed
Premium themes are attractive and we’d all love to have a great theme for our website to make it unique. Many times website owners fall prey to free, cracked or pirated versions of these themes. Such themes from unreliable sources can carry pre-installed malware. By installing it on your WordPress website, you also install the malware. This opens the door to hackers. We’ve detailed how this happens later.
Always download themes only from reputable sources such as the WordPress repository or marketplaces like ThemeForest and ThemeTrust.
4. Using Vulnerable plugins
Hackers are constantly on the prowl to find gaps in the security of plugins. If they find one, they’ll scan the internet for WordPress sites that have the plugin installed. This enables them to hack into thousands of websites in a matter of minutes.
Many times, especially with free plugins, developers may find that they can’t maintain it any more and abandon the plugin. (This can also happen with themes). In these cases, the security of the plugin will lapse and having it installed on your site poses a threat.
Download plugins only from trusted sources such as the WordPress repository or CodeCanyon. Regularly delete WordPress plugins and themes you don’t use any more. Check the status of the plugins you do use to see if they’re being updated and maintained by the developer.
5. Using Insecure Local System
Sometimes, it may be your computer itself that’s not secure. If someone hacks into your system, they can easily access your WordPress site because in most cases, the wp-admin is already logged in and open.
This can happen if you don’t have a firewall or anti-malware tool installed on your system.
It’s recommended that you never use a public computer or public unsecured wifi connection on your local system which you use to run your WordPress website. Always keep malware detection tools active on your site.
6. Using Poor Web Hosting Service
While choosing a hosting plan, we tend to look for the cheapest one. But the cheapest doesn’t always guarantee good security measures.
Shared servers may be cheaper but they also put your site at risk. You can’t tell which sites you share a web server with and whether they’ve implemented security protocols. If they get hacked, there are chances the malware infection can spread to your site as well.
There are also times when website hosts are compromised which means all websites on the hosting platform are exposed for hackers to exploit.”
Before choosing a web host, read up on what they offer and what customers have to say about them. This will help you get a good idea of which web host to choose.
To find a vulnerable site, hackers create their own bots or use free vulnerability scanners available online to comb through the internet. When they find one, they’ll exploit the security flaw it has (like the ones mentioned above) to get access to the files or database of the WordPress website.
Then, they inject code that will execute malicious activities such as sending spam emails, selling illegal products, etc. They also inject code to create new user accounts or WordPress backdoors that will help them regain access to your site any time they want.
How to Hack a WordPress Site?
There are innumerable ways to hack into a WordPress site. Here, we’ll discuss two of the most common ways hackers inject code into your website to create a new user login:
I. Through Files (Pre-Installed Malware in a Pirated Theme)
As we discussed earlier, many WordPress site owners fall prey to pirated themes. You get all the features for free! But such software can have a script to create a new login ID. Once you install the theme, the new user account gets created and the hacker can simply log into your website from WordPress admin.
We’re going to show you how you can create a new user account on your WordPress website using your theme file. This will help you understand how pirated themes help a hacker get access to your site.
Tip: This can also come in handy if you’re locked out of your wp-admin but still have access to your web hosting account.
Going behind the scenes of a WordPress site is a risky affair. It’s best to do this on a test or staging site. If you choose to do it on your live site, please ensure you take a reliable backup. In case something goes wrong, you can restore your WordPress backup.
Step 1: Login to your WordPress hosting account. Go to cPanel and access the File Manager.
You can also access files through an FTP client like FileZilla using FTP credentials.
Step 2: Your WordPress files usually reside in a folder called public_html. Inside it, you can access wp_content/themes.
Step 3: Here, you need to choose the active theme on your website and edit the functions.php.
Step 4: Copy and paste the following code at the end of the file. (If there is a closing tag like so ?>, make sure the code comes on the line before this.)[php]$new_user_email = ’firstname.lastname@example.org’;
$new_user_password = ‘password’;
$user_id = wp_create_user($new_user_email, $new_user_password, $new_user_email);
wp_update_user(array(‘ID’ =&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; $user_id, ‘nickname’ =&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; $new_user_email));
$user = new WP_User($user_id);
[/php]Edit the first two lines to the email and password of your choice. Once you save the file and open your website, the code will run and you can log in using these new credentials.
We hope now you understand that when you install a pirated theme if it has this block of code, a new user account will be created. All the hacker has to do is enter the credentials and log in.
II. Through Database – SQL Injection
This is another one of the most common reasons why WordPress sites get hacked. To begin, you need to know two things about SQL injections:
- WordPress uses MySQL as the default database system.
- In order to generate the frontend of a website, WordPress uses SQL queries to pull data from the database.
We don’t have to worry about what this is or the details of it for now. What you need to know is that this database is accessible only through cPanel > phpMyAdmin. But hackers find ways to access it without using cPanel. One of the most common ways hackers contact a site’s database is through vulnerable forms on a website.
A form is any element where text can be entered such as the WordPress login bar, contact form, WordPress blog comments, subscription pops, checkout pages, and the site search bar.
Instead of entering the details asked in the form, the hacker would enter their malicious SQL commands. As all information entered into the form gets stored in your database, this malicious code will find its way in.
To explain how this happens, we’re going to show you how to create a new user account using your database.
→ Creating New User Account Through Database
Step 1: Access cPanel and open phpMyAdmin > Databases.
Step 2: Here, you’ll see a list of databases. You need to select your database. (If you don’t know your database name, you can find out this information in your wp-config, like so).
We’ve selected the database according to the name in the wp-config file.
Step 3: Next, from the tables that populate on the right panel, you need to find the table that ends in _users (It will most likely be named wp_users).
Step 4: Here, you can click on ‘Insert’.
Step 5: It will open up the following screen where you can enter the user login name, password, email and display name.
Step 6: Next, click on ‘Go’ and your changes will be saved. Now you can login to WordPress using the new credentials.
The same can be done by inserting a block of SQL code into the database. Similar to the pirated theme, once the code enters the database, it will run and a new user will be created. We can think of it as a hacker simply creating their own door in your home and walking right in.
How To Stop Hackers From Hacking Your Website?
There are four main steps you need to take in order to make your site secure enough to keep hackers at bay:
1. Install a WordPress Security Plugin
Every WordPress website needs a security plugin such as MalCare. Protect your WordPress site with such a plugin that will scan the website regularly. It will spot any suspicious activity, block malicious traffic and keep hackers out. In the event a hacker does get in, you’ll be alerted immediately and you can clean your website instantly before they can do any damage.
2. Install an SSL certificate
This certificate will provide your website with data encryption. What this means is that when someone visits your website, data is transferred between their computer and your website’s server.
If it is transferred in plain text, sometimes hackers who are lurking around can grab that data. They can read it, steal it or modify it to their liking.
But if its encrypted, even if a hacker gets a hold of it, they won’t be able to decipher it.
You can get an SSL certificate from your web host or from an SSL provider. If you’re worried about spending too much on a certificate, providers like LetsEncrypt offer free SSL.
To learn how to install an SSL certificate, take a look at this guide – Moving HTTP to HTTPS.
3. Fix Known Vulnerabilities
As we mentioned earlier, there are common vulnerabilities in WordPress. We recommend that you take the following measures to minimize vulnerabilities.
- Updating WordPress and its themes and plugins must be top priority.
- Ensure you always use strong login credentials to avoid brute forcing attacks.
- Regularly delete unused themes and plugins
- Never ever use pirated themes and plugins. Always download such software from trusted sources like the WordPress repository, CodeCanyon or ThemeForest.
- Use a reliable web hosting service provider.
- Keep your local computer protected by installing anti-malware software.
4. Harden Your WordPress Site
WordPress recommends that every website on their platform takes certain steps to harden their sites. Some of these measures include:
- Keep an active WordPress firewall. This will help block Limiting the number of login attempts. Every user gets only three chances to enter the credentials correctly, after which they will have to opt for ‘Forgot password’ or contact the admin. You can use the same MalCare plugin to implement this step.
- Disabling plugin installations in case you have multiple users working on the website. You would want to ensure no one installs a plugin freely without checking if they are reliable and trustworthy to have your site. This can be done manually by editing a file called wp-config.php in your WordPress install. You can also use the MalCare plugin for this.
- Implementing 2-factor authentication to verify the person logging in. This is done by sending a one-time password to the registered mobile or email, or by using apps like Google Authenticator that generate a real-time password every 30 seconds.
There are many more ways in which you can harden your website. It’s recommended to implement these steps as per your website’s requirements.
Besides that, you can take a few more security measures. We strongly suggest following this guide – Secure Your WordPress Site With wp-config.php.
We hope this article has given you a better understanding of how vulnerabilities can appear on your website and how hackers get in. Hackers aren’t biased and will target just about any site. If your site is vulnerable, there’s a really good chance that you’ll be hacked.
So to sum up, we recommend minimizing vulnerabilities, installing a security plugin and hardening your website so that hackers don’t stand a chance of getting into your website.
Keep your website secure with our MalCare Security Plugin!