Did you know, that people are trying to break into your WordPress website basically all the time?

This comes as a shock to some – I’ve seen a few anxious requests for guidance from people who read their logs, and discovered that attacks were going on.

WordPress now runs around a quarter of all websites on the Internet. As such, it’s an attractive target for attackers – they can build tools which have a huge number of potential targets.

But, why do they want to do this anyway? Motives vary – there are indeed plenty of people who think that destroying things is fun. However, the main motive is a predictable one: profit. There’s money to be made.

This at first seems surprising – where’s the money to be made in my little blog, someone asks? After all, I don’t make any money from it myself – how can they?

Three main ways…

1. Computing power, “free” and anonymous

It’s not your website itself that the average attacker wants – they want the computer power of the webserver that it’s running on. They want the free electricity. This can be used to perform complex computations such as those used to “mine” digital currencies like Bitcoin – or simply to hide the hacker’s identity, whilst he uses a server that is not linked to his name, to perform other tasks.

2. Spam, spam, spam spam…

That computing power can also be used to churn out zillions of spam emails – again, for free (to the attacker), and in a way that’s hard to trace, since the emails will come from your server, not the attacker’s own computers. Since emails are quick and easy to send, often by the time it is spotted, the attacker has got his pay-off. Spam equals money – sadly, there are people who don’t immediately delete them, but who reward the evil business model. Website owners and hosting companies get to pay the bills, when the addresses of their servers get black-listed as spam sources, and time has to be invested in cleaning up.

Another way is to insert links into web pages, to websites selling things – like various pharmaceuticals. These links may not even be intended or visible for people to click on – they may be intended only to be visible to search engines, to help the destination websites move up the search rankings. Unscrupulous marketeers can find it much cheaper to buy space on a thousand hacked websites from shady operators, than to build up genuine interest in their products.

3. Serving up viruses

A hacked website can be modified to serve up viruses to its visitors – catching vulnerable visitors whose own security on their PC/Mac/etc. wasn’t up to date. Viruses then allow the visitor’s computer to be used for the same purposes – and some others. For example, some viruses will encrypt all your files, and decrypt them only upon payment of a ransom – i.e. “ransomware”. Or they may inject new adverts into every web page you visit, making money for either the sellers of advertising space, or the sellers of the advertised products. Or they may log clicks and key-presses on the computer, and capture valuable passwords by this method – e.g. online banking passwords.

Sadly, insecure websites are economically valuable. Weak passwords, un-updated plugins, etc., provide ways for the bad guys to use your computing resources, to make money. The costs of breaking in are less than the revenues they can make – so hacking is a profitable activity.

Conclusion: don’t say “my website’s not interesting to hackers – it’s just small, so I’m fine.” Much WordPress hacking is an automated activity. Other hacked websites are running code to try to automate the process of hacking yours, if you’re vulnerable. Everyone’s at risk, and everyone needs to keep on the ball. Future training articles will discuss how. But you won’t be surprised by rule number one: keep regular backups! ;-) Sadly, even if you follow all the rules, sometimes, hackers find a flaw before the good guys do, and begin taking over websites straight away. When that happens, you need a good backup. With a good backup, you can always recover: without one, you’re really in for a hard time to get back to where you once were.

David Anderson (founder, lead developer, UpdraftPlus).