export default "data:image/svg+xml;base64,PHN2ZyBhcmlhLWhpZGRlbj0idHJ1ZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB2aWV3Qm94PSIwIDAgNjAgNzUiPjxkZWZzPjxzdHlsZT4uYXtmaWxsOiNmZmY7fTwvc3R5bGU+PC9kZWZzPjx0aXRsZT5UUlEtTEdPLVEtUkdCPC90aXRsZT48cGF0aCBjbGFzcz0iYSIgZD0iTTkuNzEsOS41NGEyOC44LDI4LjgsMCwwLDAsMCw0MC42NGwuMTMuMTJoMEwzMy43NCw3My44NlY1OC4yNWExOS43LDE5LjcsMCwwLDAsMi4zOS0uMzUsMjguMjksMjguMjksMCwwLDAsMTQuMTYtNy43MkEyOC43MiwyOC43MiwwLDAsMCw5LjcxLDkuNTRaTTQyLjQ0LDQyLjMyYTE3LjQ2LDE3LjQ2LDAsMCwxLTguNzcsNC43NVY1OFMxOC4wNSw0Mi44LDE3LjU2LDQyLjMxYTE3LjYsMTcuNiwwLDEsMSwyNC44OCwwWiIvPjwvc3ZnPg=="
Torque

Top 5 WordPress Security Breaches and How to Rectify Them

Avatar photo

Filed Under

Security

Published

August 18, 2017

2 Comments

Holding more than 28 percent of the market share and powering 74.6 million websites across the globe, WordPress is indeed one of the most sought-after Open Source CMS in the world. With enhanced usability and appealing aesthetics, WordPress truly deserves to be the world’s most recognized publishing platform.

But the massive usage of WordPress and open source have made it an easy target for cybercrooks, who aim to infect the websites with malware and gain control over their operations. Hacking platforms like WordPress enable these cyber-criminals to infect a considerable number of websites in a short span of time, using automated attacks. Such malicious activities can be carried out by human hackers, a single bot (automated program used by the hacker) or a botnet (a group of machines which are coordinated by a C&C server).

Image credit :https://www.wordfence.com/learn/how-to-protect-yourself-from-wordpress-security-issues/

A majority of the attacks are carried out by bots and botnets and since the attacks are so fast and damaging, it is important to understand the vulnerabilities of your WordPress security system. Statistics reveal that in 2012 alone more than 170,000 WordPress websites were hacked and the chances of this figure escalating now are higher. Combating WordPress security issues will protect you against money loss, customer –data breaches and the spread of malware to other websites. Let us take a closer look into identifying the most common WordPress security breaches typically spawned by hackers and how to amend them.

SQL Injections

What is it?

An SQL injection is the most common type of attack targeted towards database driven websites and web-applications. Here, the hackers send in special SQL queries to the website by attacking the website’s security measures which have the capacity to modify or delete the entire database. These code-injections can also create new admin accounts which can be used to include links to malicious or spam websites.

How to overcome it?

Error messages are mostly used to get critical website information, hence either these should be disabled or custom error messages should be created. Cyber security experts from WordPress website designing services say SHA1 or SHA encryption should be used for all sensitive information and password. Limiting the number of permissions granted will lower the chances of such malicious attacks.

Brute Force Attacks

What is it?

A Brute Force Attack method is where a large number of trial-and-error methods are utilized to gain the correct combination of login-id and password to your WordPress website. It is the most basic way in which hackers try to gain access to your login screen. This attack can be devised in various ways – dictionary attack or reverse brute force attack, each technique repeatedly trying to guess the login-id and password combination. This is a common tactic used by bots since there are no limitations to the number of login attempts in WordPress. When successful, this attack gains critical access to your website and business. When unsuccessful, it still manages to overload your system.

How to overcome it?

The best method here is to activate a lockout policy which deters multiple login attempts. Progressive delays, where the account is locked-out for a definite time period, can also be used.  Tools such as Captcha can be employed, though it affects the usability of the site. Enforcing strong passwords will help combat this type of attack.

Cross-Site Scripting

What is it?

With almost 84 percent of all the security breaches on the internet being Cross-Site Script or XSS attacks, this type of attack manifests itself most commonly in the WordPress plugins. Here, the attacker uses a web-application to send malicious scripts and codes to otherwise benign and trusted websites. The security gaps, which allow the incidence of such attacks are quite common over the internet, where the end-user browser will not have any measures to know that such attacks cannot be trusted. Eventually, insecure JavaScripts are loaded on to the webpage which are then used to steal confidential information.

How to overcome it?

There is a host of techniques to prevent XSS attacks, some of which are stated below:

  • Don’t allow untrusted data into your HTML documents.
  • Utilize WordPress API Sanitization functions and WordPress API Escaping functions.
  • Before putting untrusted data into your HTML pages, ensure that it is HTML encoded by changing characters such as < into &It;
  • Before entering an untrusted data into URL query string ensure that it is URL encoded.

Web Server and OS attacks

What are these?

There exist certain security vulnerabilities within the web-server or the operating systems such as the Heartbleed Vulnerability or the Shell-Shock Vulnerability. Such security threats are created when a mistake is written into OpenSSL, which makes it viable for hackers to obtain enormous databases and sensitive information from your website. Such major vulnerability affects almost two-thirds of all the websites. In addition to these, phishing attacks wherein attacks which imitate services to steal your critical information and credentials are also rampant in WordPress websites.

How to overcome these?

  • Conduct frequent security reviews of the of the OpenSSL software.
  • Always perform server-side input validation.
  • Never trust externally received input.
  • Update IPS and firewall signatures and enable Heartbleed signatures.
  • Revoke current SSL certificates and reissue new certificates. Don’t generate the new certificates with the old private key.

Malware attacks

What are these?

A  Malware is MALicious softWARE which is designed to disrupt and damage a secure system to gain critical access to the system or database. Such intrusive software can take up the form of executable codes and scripts which infiltrate a system without the user’s consent. Whenever a WordPress site is hacked, take a look at the recently changed files because that is the usual site of malware injection. The most commonly found malware infections include Backdoors, Drive-by downloads, Pharma hacks, and Malicious redirects.

How to overcome these?

  • Manually remove the malicious file.
  • Restore WordPress website from a previous, clean back-up.
  • Always update WordPress and the plug-ins.
  • Delete “admin” account and use some other unique username.
  • 777 file permission make WordPress vulnerable to hackers. Set files to 644 and folders to 755.

This should give you the tools to combat the most common attacks on your WordPress site.

Did we miss anything? Let us know in the comments below. 

Avatar photo

Author

Amelia Grant

Amelia Grant, a passionate web developer swears by WordPress and says it is her favorite CMS. With a career spanning over a decade in developing applications and hands on experience in Node JS and Angluar JS, she advises companies as a freelance consultant on what programs are best suited for different applications.

More articles by Amelia Grant

Reader Interactions

There are 2 comments

How do you stay on top of your WordPress game?

A good way to start is to sign up for our weekly newsletter. We keep you up to date by bringing you the freshest WordPress content from the brightest minds in the industry.