Did you know, that people are trying to break into your WordPress website basically all the time?
This comes as a shock to some – I’ve seen a few anxious requests for guidance from people who read their logs, and discovered that attacks were going on.
WordPress now runs around a quarter of all websites on the Internet. As such, it’s an attractive target for attackers – they can build tools which have a huge number of potential targets.
But, why do they want to do this anyway? Motives vary – there are indeed plenty of people who think that destroying things is fun. However, the main motive is a predictable one: profit. There’s money to be made.
This at first seems surprising – where’s the money to be made in my little blog, someone asks? After all, I don’t make any money from it myself – how can they?
Three main ways…
1. Computing power, “free” and anonymous
It’s not your website itself that the average attacker wants – they want the computer power of the webserver that it’s running on. They want the free electricity. This can be used to perform complex computations such as those used to “mine” digital currencies like Bitcoin – or simply to hide the hacker’s identity, whilst he uses a server that is not linked to his name, to perform other tasks.
2. Spam, spam, spam spam…
That computing power can also be used to churn out zillions of spam emails – again, for free (to the attacker), and in a way that’s hard to trace, since the emails will come from your server, not the attacker’s own computers. Since emails are quick and easy to send, often by the time it is spotted, the attacker has got his pay-off. Spam equals money – sadly, there are people who don’t immediately delete them, but who reward the evil business model. Website owners and hosting companies get to pay the bills, when the addresses of their servers get black-listed as spam sources, and time has to be invested in cleaning up.
Another way is to insert links into web pages, to websites selling things – like various pharmaceuticals. These links may not even be intended or visible for people to click on – they may be intended only to be visible to search engines, to help the destination websites move up the search rankings. Unscrupulous marketeers can find it much cheaper to buy space on a thousand hacked websites from shady operators, than to build up genuine interest in their products.
3. Serving up viruses
A hacked website can be modified to serve up viruses to its visitors – catching vulnerable visitors whose own security on their PC/Mac/etc. wasn’t up to date. Viruses then allow the visitor’s computer to be used for the same purposes – and some others. For example, some viruses will encrypt all your files, and decrypt them only upon payment of a ransom – i.e. “ransomware”. Or they may inject new adverts into every web page you visit, making money for either the sellers of advertising space, or the sellers of the advertised products. Or they may log clicks and key-presses on the computer, and capture valuable passwords by this method – e.g. online banking passwords.
Sadly, insecure websites are economically valuable. Weak passwords, un-updated plugins, etc., provide ways for the bad guys to use your computing resources, to make money. The costs of breaking in are less than the revenues they can make – so hacking is a profitable activity.
Conclusion: don’t say “my website’s not interesting to hackers – it’s just small, so I’m fine.” Much WordPress hacking is an automated activity. Other hacked websites are running code to try to automate the process of hacking yours, if you’re vulnerable. Everyone’s at risk, and everyone needs to keep on the ball. Future training articles will discuss how. But you won’t be surprised by rule number one: keep regular backups! ;-) Sadly, even if you follow all the rules, sometimes, hackers find a flaw before the good guys do, and begin taking over websites straight away. When that happens, you need a good backup. With a good backup, you can always recover: without one, you’re really in for a hard time to get back to where you once were.
David Anderson (founder, lead developer, UpdraftPlus).
Thanks for this. I’m definitely interested in learning more about how to best protect my sites against hackers as well as what I can do to “cleanse” a hacked site. I’ve seen their presence in my log files and I get notifications from gmail every day that suggest someone is spoofing the mail-server of one of my sites.
Great article David! I back up daily with Updraft Premium and it is one of the best investments in case of nefarious hackers. Would appreciate other ideas you might have to prevent hacking. I also downloaded “Random Password Generator” and change my 16-20 character password every week.
very timely warning … does this imply Updraft Plus has a way to stop / fix / report hacker activity? Or, is it your future / imminent intention? Just that I recently updated to Premium and I don’t see this option – maybe I missed something? Will be very interested to find an answer to this. Have you any recommendations?
The only thing UpdraftPlus can currently do for you in this area is make sure you have a backup to deploy when it’s needed! We’re not planning to launch a security plugin; the article is more because it’s a similarish area – back-end management of your WP and keeping yourself safe, so we thought our users would find it useful and interesting.
Great article…makes total sense. In case you discover your site is infected, is there an easy way of knowing what backups are “clean”…or is it a matter of trial and error?
Best to consult with the web hosting company. Reading the logs, and examining the infected files, is the only way to work it out – and that’s a manual process that involves detective work, rather than something that can be done in an automated way.
One thing WordPress users can do to minimize the likelihood of being hacked is to make their admin username unguessable. Almost all of the notifications I receive regarding attempted hacking access show the hacker has tried the usernames ADMIN or NAMEOFBLOG (obviously, this refers to the name of the blog, not “NAMEOFBLOG”.)
It’s not really possible to make your admin username unguessable. WP doesn’t consider keeping usernames hidden to be part of its security model (and I agree) – and as a consequence, it’s very easy to enumerate a list of usernames on a WP site. e.g. https://hackertarget.com/wordpress-user-enumeration/ . Keeping out automated hackers who only bother to attempt a couple of usernames is better than nothing, of course – but those guys can up their game with almost zero effort.