Okay, your WordPress website has been hacked. That sucks. Undoubtedly, questions like: ‘Why do hackers always sit in the dark with a mask on behind their own computer?’ run through your head. But you might be even more curious about: how do they do it? In this article we explain in ‘normal language’ how hackers (and their bots) work.
By the way, maybe you’ve already solved it and you’re just curious about how hackers work. But if your website is still inaccessible, full of junk (SEO Spam) or if you’re not sure whether you’ve cleaned it up properly: Feel free to contact us.
1. Brute force wp-login.php form
Brute forcing a form is the easiest way to crack your WordPress security. That ‘brute force’ literally goes with brute force and is not particularly intelligent. After finding your usernames, hackers – using bots and tools – just throw a huge list of frequently used passwords against your login form in the hope that 1 will stick. The usernames can often be found via http://example.com/?author=1 or https://example.com/wp-json/wp/v2/users or even simply because they are mentioned in a blog post.
The passwords are collected from large data breaches. Curious about what is on such a list? View a top 100 of commonly used passwords here. Want to know if your password might be on such a list? Enter your email address at: haveibeenpwned.com to see if your data has ever been leaked. Don’t be alarmed, but if you have been active on Linkedin for a while, there is a good chance that your password has been leaked.
– Preferably use one of the passwords that WordPress generates for you. They are impossible to remember, but you know for sure that they are not on a list.
– Leave the remembering to a password manager or your browser’s built-in password system. Such a password manager even notifies you if the password you use has unexpectedly been leaked in the event of a data breach.
2. Exploit WordPress Plugin
Plugins, Themes and the core of WordPress contain a lot of lines of code, written by a lot of developers from all over the world. The availability of those plugins is something that makes WordPress great, but also offers – if you are too laconic – an opportunity for hackers. Unfortunately, it sometimes happens that developers do not focus so much on the security of their plugin.
Of course it completely depends on how many plugins you have installed on your website, but also where and from whom you downloaded them. The impact of a vulnerability in a plugin varies, but can have far-reaching consequences.
To find out if you’re using a plugin with a vulnerability:
As soon as a vulnerability is found in a plugin or theme, the developer is (usually) notified and requested to release an update. Not much later, a message appears in a database such as that of WPScan or ExploitDB to inform users of the vulnerability. Good, because then we know something is wrong. But this immediately offers hackers a nice list of vulnerabilities to actively search for. This search can be done via scans, but sometimes also very easily via Google.
The plugin WP DB Manager has a leak in 2 old versions according to the WPScan database. Websites with that plugin are quite easy to find via a Google Dork like: inurl:wp-content/plugins/wp-dbmanager/.
– Make sure you update your wordpress code, plugins and themes regularly.
– Are you missing a license code? Make sure you buy it so you can update again.
– Do you have a plugin that is no longer maintained? Look for an alternative.
– Are you using a plugin with a version from this list https://wpscan.com/plugins? Stop reading and delete that thing!
How we ensure that websites are and remain safe
Plugins and updates
When developing WordPress websites, we like to use as few plugins as possible and the plugins we use are often premium and therefore licensed from a reliable developer. That way we know for sure that the plugin is maintained and updated. In addition, we always offer customers a maintenance contract in which we make backups and implement all updates. In this way, our customers know for sure that their website is up to date. Did you know that under the GDPR you are obliged to keep your software up to date if your website handles personal data?
There are various firewall plugins that can detect early whether your website is visited – or rather attacked – by visitors / bots who intend to harm. Such a firewall shields files where nobody has anything to look for and blocks visitors who perform suspicious actions.
This article gives an insight into 2 of the favorite methods for hackers, but these are certainly not the only 2 options. Want to know whether your wordpress website uses plugins with known vulnerabilities? Feel free to contact us for a scan of your website. You can also use the contact form below for help with setting up a firewall or cleaning / checking your hacked wordpress website.