Saturday, November 26Be Passionately Curious & Unstoppable

Try Hacking Your WordPress Website Before Hackers Do!

If you use WordPress, it is really important to get yourself familiar with some security measures to keep your website safe from potential hacking attacks.

There were over 90 billion malicious login attacks from 57 million unique IP addresses at a rate of 2,800 attacks per second targeting WordPress, says WordFence.

WordPress, being a powerful & open source CMS, invite potential security threats as well.

There has been a long history of WordPress websites being targeted by hackers because of security issues.

News about WordPress websites getting hacked

Here are some of the WordPress security vulnerability stats you should look at:

  • 41% of WordPress attacks are caused because of vulnerability on the hosting platform. [Souce: Unknown]
  • 61% of infected WordPress websites were out of date. [Souce: Sucuri]
  • 8% of WordPress websites are hacked due to weak passwords
  • Over 30% of Alexa’s top 1 million websites were using outdated WordPress, making them vulnerable to hacking attempts. [Source: WPWhiteSecurity]
  • 52% of WordPress vulnerabilities are due to WordPress Plugins [Source: WPScan]
  • In a study, over 4000 websites were infected by malware due to a fake SEO plugin [Souce: Unknown]
  • There are almost 90,000 attacks per minute on WordPress websites. [Source: WordFence]

Aren’t these stats shocking?

Who are these hackers? Well, we are not here for this answer!

After reading this piece of content, you will understand how hackers can find a way to exploit security vulnerabilities in your website, & what you can do to avoid any such security exploitations.

Moving ahead, we will execute some basic & initial techniques used by hackers use to find potential weak WordPress websites.

Finally, we will see some fixes to protect your WordPress website from hacking or similar attacks.

How Hackers Hack Your WordPress Website?

The Anatomy of WordPress Hacking

It all starts with Reconnaissance & Scanning. Hackers use various techniques to scan & shortlisting WordPress websites with security vulnerabilities that can be exploited.

They can do this in many ways, like executing browser-side automated scripts, creating automated bots to scan the world wide web & many more.

Once they shortlist weak websites, they further execute advanced hacking steps (like brute-forcing, injecting malicious scripts & more.

Most of the part is automated.

Enumeration

With WordPress default configuration, there are several ways hackers can find sensitive information about your website, which can be then exploited to gain administrative access to your website.

Unless you take some steps to hide some critical WordPress information about your website, you are vulnerable to hacking attacks, especially brute-forcing (trying out numerous combinations of some commonly used passwords until the right combination is guessed.).

For instance, if a hacker knows the exact username of your WordPress admin account, he is one step closer to brute force attacking your website.

Similarly,

There are various other information that becomes public with WordPress default installation, hence, making your website vulnerable to hacking attacks.

SQL & PHP Injection Attacks Through Database

An injection attack is a process of submitting malicious functions & scripts via input form fields or other open fields/path opportunities in your Website.

Since WordPress is written in PHP & uses MySQL/MariaDB for database, hackers try to enter malicious PHP/SQL scripts to be saved & processed into database.

Such scripts can be inserted via open form fields available throughout our Website like contact us form, newsletter, comments, etc.

SQL injection vulnerability is the one of the most critical security vulnerability in WordPress.

If your WordPress security failed to filter & identify such malicious data before saving it to the database, it becomes easy for hackers to eventually send scripts that request back confidential information or may execute certain functions.

Man In The Middle Attacks

Man in the middle (MitM) attacks are reffered to attacks wherein the hacker position themselves as intermediator between the process of sending & receiving data.

In simple terms, this means trying to steal information while data communicates/travels from one point to other.

WordPress websites that are still running on HTTP, are prone to man in the middle attacks.

This is because HTTP (Hyper Text Transfer Protocol) is basically a communication between your web browser & website server.

When you put in a website URL, browser send request to the website server & fetches required data.

Since HTTP is not an encrypted protocol, hackers can easily intercept in-between the information shared between web browser & web server.

This means, even the passwords are not secure. The straight forward solution to preventing MiiM attacks is enabling HTTPS protocol on your website.

Hacking Your Website: Testing Out If Your Website Is Vulnerable To Hackers

While no website is secure across the Globe.

SO here’s the catch: Reveal as least information about your website as possible, you will be on a safer side.

Hiding your website potential information means, preventing yourself from falling in the shortlisted website list after their reconsinnance & scanning phase.

SO you might be wondering,

What are these kind of potential information that hackers are looking for to shortlist weak website?

  • Admin Username
  • Websites without HTTPS
  • Websites with outdated themes or plugins
  • Websites with potential open paths to inject malicious scripts

The best way to understand this is by doing some scanning on your WordPress website that real hackers are trying out there using automated bots:

Test 1: WordPress enumeration via REST API

WordPress installation by default includes a rest API that can be used to get active user details on a specific website.

REST stands for Representational State Transfer & it is a client server protocol that makes your website available as web server.

In simplte terms, REST API helps other applications/websites in retrieving information available on your website without having to use a browser to access the website.

To get the requested data, REST architecture uses many formats including plain text, HTML, JSON, XML, YAML, etc.

If we talk about the data in Json format, ,

To check this, enter this URL string after your website URL: /wp-json/wp/v2/users

Example – www.yourwebsite.com/wp-json/wp/v2/users

similarly, https://sureshbhatt.net/wp-json/wp/v2/posts

What did you see? Did you see a blank page or 404 page?

When hacker send a Json request (www.yourwebsite.com/wp-json/wp/v2/users) on your website to get sensitive information, it should return a 404 error

or did you see this kind of information?

an image to showcase how REST API can be exploited & used to hack your WordPress website

If yes, you need to protect this information ASAP.

Don’t take this lightly. As you can see, this string can help hackers get information on registered users.

Here’s the fix, you can directly jump to this fix or continue reading this article to fix everything, including this.

Test 2: Monitoring WordPress Behavior

In this step, we’ll look for minor differences in how your WordPress login page is responding to particular requests.

We will perform this step to help you understand what minor informations hackers try to gather & how costly leakage of these minor information can help hackers gain access to your website

Step 1: Go to your WordPress Login page & try entering a wrong username & dummy password.

See how WordPress responds to this & returns this error message

Step 2: Now Enter right username but wrong password

WordPress response security testing against brute force attacks

As you can see, this returns a message: invalid username & password, this means, WordPress does not indicate that username is correct but password is wrong/

However, hackers have one more way to confirm this, they will try resetting your password.

Not to actually reset your password, but to keep your website in list where usernames are confirmed so they can execute further steps.

Wordpress forget password response testing to check security vulnerabilities helping hackers to get the exact username

But once the right username is guessed, this password reset form will confirm this to hackers.

WordPress response to forget password bruteforce testing when right username is guessed

However, in this case, hackers needs to make sure that they execute things real fast as soon after this step

Because this will also send you a forgot password link

If you ever receive any such forget password email, don’t take it lightly.

Create a new & very strong password again immediately.

Depending on this response, the attackers can determine the exact user name that can be potentially used to execute next larger hacking steps against your website.

This makes hackers one step closer to brute force attacking your Website.

Test 3: Checking If any Directory is visible publically Wp-Content & Wp-Plugin Indexing Status

We will attempt this test to list the directory contents of the uploads & plugins folders to determine if directory Indexing is enabled by default on your WordPress website.

This can lead to information leakage vulnerabilites that can also reveal sensitive information regarding your website configuration.

Screenshot to show enumeration (plugin, content) vulnerability in wordpress

Test 4: Playing With Some Free WordPress Website Security Vulnerabilities Scanner

In this check, we will test our Website vulnerabilites using some pugins.

This test is to see if our website requires attention, because hackers use these tools or similar codes to detect potentially weak websites

WPIntel Chrome Extension

Wp Intel - WordPress Vulnerability Scanner Plugin Free

Pin this extension to your Browser & whenever you visit any website, this tool will scan websites & turn green if it detects any WordPress CMS.

You can use this tool to scan for possible vulnerabilites in your wordpress website & get it fixed as soon as possible.

Some things you can check for using this tool:

  • Version & Vulnerabilities
  • Themes & Plugin information
  • Username Enumeration
  • Scan for registered users details
  • Scan for path disclosure
WPIntel Tool

This is one of the most famous tools used by hackers to find vulnerabilities to your website

This tools helps them in their reconissance phase when they are on their firrst step of gathering data from

There are other popular tools too you can easily find.

Test 5: Finding PHP or SQL Injection Vulnerabilities

Any input field in your website with submit button is vulnerable.

In this test, we will check for any open paths in our frontend that does not filter data before processing & saving into the database.

Create a list of all the available options on your website from where a data can be sent to be stored on our website database , sent by a user from frontend.

This could be:

  • Newsletter Form
  • Custom HTML form you might have created
  • Comments Section

Now test if your website is filtering this data before sending to database or not.

Didn’t get what I mean?

What you need to do is try improper format for entering data,

such as in the phone number field, try entering texts & phone number greater than 10digits, if the website accepts this data, this means, data is not getting filtered properly & hackers can inject malicious scripts to your database which can be executed in their next hacking steps.

How Can I Protect My WordPress Website from Hackers?

You’re not alone in this fight!

Hide Rest API

As we discussed above, REST API in WordPress can be used to get potentially sensitive information about your website.

TO prevent this, you need to insert the following code to functions.php file.

add_filter( 'rest_authentication_errors', function( $result ) {

  if ( ! empty( $result ) ) {

    return $result;

  }

  if ( ! is_user_logged_in() ) {

    return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );

  }

  if ( ! current_user_can( 'administrator' ) ) {

    return new WP_Error( 'rest_not_admin', 'You are not an administrator.', array( 'status' => 401 ) );

  }

  return $result;

});

Add Security Headers

When it comes to WordPress security, adding security headers to your website block malicious attacks like script injecting or Man-in-the-Middle attacks.

For example, there are many scripts that hackers can use to access your website in HTTP even if you’ve configured SSL properly.

Below are some important security headers that we need to add to our Website at server level.

  • HTTP Strict Transport Security (HSTS) – Prevent your website from loading on HTTP
  • X-Frame-Options – Prevents cross-domain iframes or click-jacking
  • X-XSS-Protection – Blocks cross-site scripting
  • X-Content-Type-Options – blocks content mime-type sniffing.

We need to add these headers on the website server level, on .htaccess file

To do this, login to your cPanel & using File Manager, go to public_html > .htaccess

Add this piece of script inside this file & Save Changes.

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
</ifModule> 

Keep Everything Up To Date

Be it plugins, theme files, WordPress core update or anything else on your website.

Keep everything up to date. This is most important.

Outdated technology is very dangerous & you should enable auto updates for your WordPress website, for themes, plugins.

Choose A Reliable & Trusted Hosting Partner

Did you know that security vulnerability issues by Hosting services accounts 41% of hacked WordPress websites?

This news is around 6-7 years old & the original author of this post has deleted the page.

But let me tell you why choosing a reliable hosting services are important:

  • Website Security – A reliable business means you are in the best hands, a good host will have a security firewall & other means to protect your website from getting hacked.
  • Just in case your WordPress website gets hacked, a good hosting provider will prioritize this situation to help you the best way they can
  • While performing certain functions to strengthen your website security, you would need to edit core files. Just in case something goes wrong & you lose access to your website, a reliable web host will not only make sure to fix the issues, but also educate you on what you’ve done wrong & what you should avoid in the future.

Cybersecurity is one of the biggest concern in the tech world.

Let the professionals manage server security & other critical security measures while you focus on strengthening your WordPress website.

I personally use HostGator & have been associated with them as an affiliate partner.

Meaning, the hosting is reliable & if you sign up from here, I will get some commission that will help me keep this blog live 🙂

The tech support staff is really helpful & willing to provide you the best customer experience.

Bluehost is also good, but might be expensive for beginners.

Password Protect WordPress Admin Directory

This is kind of two factor authentication to login to your admin dashboard.

Just like your WordPress dashboard is protected with a password, you can add another layer of security by password protecting this directory itself.

That is, protecting the URL www.yourwebsite.com/wp-admin by asking a prompt before accessing the login page

This is how a password protected WordPress admin page looks like, this adds an extra layer of security to your wordpress website

To do this, you need to login to your hosting cPanel account & locate Directory Privacy icon

How to enable password on Wp-Admin page, password protect Wp-Admin directory

Locate wp-admin directory inside public_html & click on edit as shown below

Demonstration on how to enable paswword protection on Wp-Admin

Final steps to password protect wordpress admin & improve security

Now save this & try logging into your dashboard in incognito mode.

Seeing “too-many-redirects” or “404” error after setting up password on wp-admin directory?

Try adding this piece of code to your .htaccess file inside cPanel of your hosting account:

public_html > .htaccess

ErrorDocument 401 default

Add this code before WordPress rules start

Click save & try now.

Seeing Admin ajax issue?

This means Ajax functionality is broken.

Locate wp-admin .htaccess file (This is different .htaccess file, not the one that we edited above) inside hosting cPanel

public_html > wp-admin > .htaccess

& paste the following code into it:

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any 
</Files>

Hide /wp-admin URL & keep hackers away

The default WordPress installation settings invite security vulnerabilities to your Website.

One such vulnerability it the default login page URL, i.e, /wp-admin

You just need to add this at the end of website URL to get to the login page.

Hackers already know this & you must change this URL slug to keep hackers away from this page, which is a gateway to the core of your Website.

While this can also be done manually, you can also use WPS Hide Login plugin

Caution: It is important to backup your website before changing /wp-admin/ login URL, this is because in some cases, you may end up losing access to your website & locked out.

Limit Login Attempts

As the term suggests, limiting login attempts to our WordPress website keep it secure from hackers trying to brute force attack your website.

By enabling this feature, you will be able to limit the number of failed login attempts.

Since brute force attacking needs a lot of combinations to be tried before guessing the right password, limiting login attempts make sure that no bot can try more than three wrong credentials to your website.

WordPress Installation does not include this feature so we need to use a plugin for this.

Enable Two-Factor Authentication

Enabling two factor authentication adds an extra layer of security to your website.

Just in case an automated script is able to brute force login into your WordPress, your website will still be secure until hackers find a way to disable/exploit that specific plugin used for two factor authentication.

Almost every WordPress security plugin allows you to enable two factor authentication

Block Script Injections – PHP & SQL

As we know, WordPress is written in PHP & uses MySQL or MariaDB database.

This means hackers can potentially inject malicious SQL & PHP scripts to your website.

This can be done via sending requests from your website frontend or using global PHP functions.

We’ve already done this test to see if hackers can get a way to inject scripts.

However, there is one more step that needs to be done, we need to prevent any kind of global PHP requests from outside of our website.

TO do this we need to add this script to our .htaccess file

# BEGIN Protect Against Script Injections, Thank you Suresh

Options +FollowSymLinks 
RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] 
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) 
RewriteRule ^(.*)$ index.php [F,L] 

# END Protect Against Script Injections, Thank You Suresh

You will find .htaccess file inside File Manager in your website cPanel.

Once you save this code to .htaccess file, your website will block any request or scripts which can be used to hack your website.

Just by adding this code, you are taking your WordPress security to next level

Disable Frontend Debugging Messages

Some WordPress theme comes with debugging messages enabled on the frontend.

While developers use this feature to detect bugs, hackers can potentially use this feature to gather information which will then be used to trick your WordPress system & gain unauthorized access to your website.

If you spot any debug messages on the frontend, place this code into the wp-config file:

define( ‘WP_DEBUG_DISPLAY’, false );

Disable File Editing – Theme Editor & Plugin Editor

WordPress comes with two useful features named “Theme Editor” & “Plugin Editor”.

This allows you to edit theme files & plugins directly from the WordPress dashboard, rather then manually editing from the cpanel.

However, this is a huge security vulnerability & if you are non-tech savvy, it is recommended to turn it off.

To disable these features, you simply need to add the below piece of code to your wp-config.php file

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

Use Recommended Security Plugins

Though I don’t want you to rely on plugins because plugins can be exploited easily & also slows down your website.

But still, I am not an ethical hacker or security evangelist, so I would say install some security plugins that experts recommends on the internet.

But rest assured, if you wish to not use plugins, you can totally skip them, I’ve mentioned some good preventive measures to save your website from hackers.

Conclusion

As we all know, no security solution works 100%, this means, we need to do the best part as we can.

TO best protect your website against hacking, I would recommend you to not just install plugins/firewalls etc, but understanding how actually it works.

If you get to know only what I’ve explained in the post above, then it will be easy for you to make smart decisions in future related to your website security.

Another important reason to understand this is that you don’t have to rely on plugins everytime.

What’s important is to make hackers lives hard by not giving them the initial information their bots need about our website.

Rest everything is being done by some great minds working behind to keep WordPress a happy place for all of us 🙂

I hope this article helped you understand WordPress security flaws & their fixes.

Do you think I missed adding any WordPress security vulnerability that hackers can potentially use to gain access to our website? Please let me know in the comment section 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *