Sneaky Tricks Hackers Use to Target WordPress

Security is on everyone mind these days, but be careful where you’re getting your information from. Be sure your getting expert advice before you proceed or you could find yourself in trouble.

3 Sneaky Tricks Hackers Use to Target WordPress Sites

The open source nature of WordPress has one downside, and if you’re not careful it could ruin your online business. I know this because it happened to me. Just a few months ago, I had a hacker hijack a WordPress site that was consistently earning me several hundred dollars a month.

The hacker:

  • Blocked all logins from my IP address
  • Deleted 217 pages of content, including over 50 pages of premium membership content.
  • Posted 182 spam articles on my site, all which were visible from the home page and which tanked my search engine rankings.
  • Changed the admin account to their email so that I could not update my password OR get back into the site

English: The logo of the blogging software Wor...

Brute force authentication attacks are pretty simple to avoid – at the server level. If your host doesn’t already provide some form of brute force protection, talk to them about it or get a new host.

If an attacker has the ability to gain control of your site thru a vulnerability on another site on the same server, your permissions are setup *very* wrong. Get a new host.

MD5 and SHA are *hash* methods, not encryption methods. There’s an enormous difference between the purpose, function and operation of these techniques. Notably, hashes are not reversible. WordPress “salts” these hashes to make it more secure. On this point, it would be better for users to ensure they’ve properly created their keys and salts in wp-config.
@3 – You can’t completely control username exposure on multisite, and even on regular wordpress some themes render the username within the output.

@5 – Domain privacy offers NO protection whatsoever. It takes all of a few minutes to file a request with the registrar for the actual data and in many cases they’re obliged to provide it. And most registrars (notably godaddy) that provide domain privacy do so at the cost of not effectively relaying domain contact attempts. This is important because it means that an attacker can send (and they do) fraudulent DMCA takedown notices to the registered “private” domain email address, CC
the registrar and webhost, and since you don’t receive or respond to the message in a timely fashion, your host and/or registrar will disable the site. This is just as bad as getting hacked.

Even if domain privacy did protect your contact information, your site could not operate if your name servers were not exposed, which is how visitors are able to find out the IP address, which is what your point here is really about. There’s no way (outside of perhaps setting up your domain behind a proxy) to prevent direct access to your content.

@6 – If you aren’t familiar with managing wordpress, you probably shouldn’t be responsible for an entire server, and all the other services and applications you would need to maintain for it, either. It would be better to look into a “managed” provider.

@8 – While updating plugins and themes is important, blindly installing updates is not good either. Several times in the past have updated plugins or themes included exploits or security regressions (si-captcha, addthis, w3tc and wptouch for example). If you’re a security-minded coder, review the code before you install updates. If you’re not, you should probably find someone that can help keep an eye out for you.

@9 – The implication here is that just because a theme or plugin is “paid” that it’ll be of higher quality. Sadly, that’s not the case. WPMU.org had an article on this very topic only last year.

While you’ve included some good advice here, too, I’m afraid you’re mixing too much myth and misunderstanding in to be ultimately good for the typical user.

 

 

Enhanced by Zemanta