The open source nature of WordPress has one downside, and if you’re not careful it could ruin your online business. I know this because it happened to me. Just a few months ago, I had a hacker hijack a WordPress site that was consistently earning me several hundred dollars a month.
- Blocked all logins from my IP address
- Deleted 217 pages of content, including over 50 pages of premium membership content.
- Posted 182 spam articles on my site, all which were visible from the home page and which tanked my search engine rankings.
- Changed the admin account to their email so that I could not update my password OR get back into the site
Thankfully, with a little research and my newly acquired knowledge of PHP MYSQL programming, I discovered three easy-to-correct vulnerabilities that I now believe every WordPress blogger needs to know about…
#1: Vulnerability to “Brute Force” Logins
Brute force logins are also called “cracks.”
A crack is when a hacker builds a program that generates thousands of new random passwords per minute and attempts to login to your application by stumbling upon the right combination. For example, let’s assume the hacker already knows that your primary username is “admin.”
All they need to do is crack the password using their trusty automated crack program. The program might start out its first 10 attempts by inputting:
As you can imagine, this would take ages without the assistance of a computer. But even the most amateur hackers have access to cracking tools, so you need to make your site as “crack proof” as possible.
(More on that in a second)
#2: Vulnerability to DNS Snooping
If your domain is publicly listed (check with your domain host) and hosted on a shared server, any hacker can use whois.com to find out who you’re hosted with, as well as information about your DNS server AND what other sites are hosted on the same server as yours.
They can also ping your site for the IP Address, feed it into sameip.org and come up with a list of the sites being co-hosted with yours.
If they can’t find a security hole in your WordPress site, they can still hack into the server if they find vulnerabilities on other sites hosted on the same server.
What they can do with this information will depend on their skill level and how much spare time they have between live action role playing games. Any reasonably experienced and moderately persistent hacker could:
1. Use SQL injections to insert content (blog posts, etc) into your WordPress database and have it display on your WordPress site.
2. Drop (i.e. delete) your entire WordPress database.
3. Decode your user’s passwords (including yours) by reverse engineering the algorithm used to encrypt them.*
*Common encryption algorithms such as MD5 and SHA are used in WordPress scripts and commonly known in the hacker world.
Again, we’ll cover a few precautions you can take to prevent this from happening, but it’s important that you know how your site may be at risk…
#3: Vulnerability to Plugin Hijacking
Right now you probably have at least a few WordPress plugins installed which are not up to date. Some of them aren’t even being updated by the developer anymore. This is a major security hole, especially if you’re receiving updates about the plugin in through your WordPress dashboard.
Those updates are likely being reported to you by a script that’s running on your server called a “cron job.” If a hacker discovers the “doorway” which that script is using to communicate with your WordPress site, they can create their own scripts that can interact or make changes to your WordPress site.
How easy is this?
First, the hacker finds a couple of WordPress plugins which are known to be out of date and which (at least at one time) installed a cron job on the host server. Then, they use a search program (similar to a spider) to harvest all the WordPress sites that have that plugin currently installed.
Once they’ve got that information, they can use a vulnerability in the plugin itself to access your WordPress scripts and, in some cases, your configuration file.
From there, they’ve got a buffet of options for turning the WordPress site you’ve worked so hard to build into a cesspool of spam articles…or into barren wasteland, devoid of all your well-written content.
So, now that I’ve got you scared and aware about these vulnerabilities, here’s what you can do about them…
Checklist for Closing Up Known WordPress Security Holes
- NEVER leaving the generic username “admin” as your primary WordPress username, doing so makes it too easy to crack your WordPress admin password.
- Create an admin username password which are less memorable, but more secure than your current ones. For example, instead of using something like your last name and date of birth, use a randomly generated password with numbers and letters and write it down somewhere that you can access it quickly.
- Don’t publicly display your WordPress username, create a nickname instead. You can do this from your WordPress profile in your admin dashboard).
- Limit the number of IPs users can login from in order to prevent brute force login attempts. Most WordPress membership plugins can do this, including the WPMU DEV plugins.
- Change your domain listing to private, if customers want to find out more about you and your company, create an information page for them.
- Get your own dedicated server as soon as financially possible.
- Have your web developer create a login script that limits failed login attempts and reports any suspicious logins to you. These are fairly easy to create, I built one in just 40 hours.
- Keep your WordPress plugins up to date with your current version of WordPress. Don’t use plugins which aren’t being maintained by the developer. I suggest becoming a Premium Member of WPMU DEV to permanently solve this problem.
- Avoid free WordPress themes and plugins at all costs, unless they’re being provided by someone who also sells premium products. People who are being paid for their work are more likely to stay on top of maintaining it. Again, I suggest you check out WPMU DEV.
- If at all possible, use a Gmail account for your admin login rather than one attached to your domain name. This way it will be harder for hackers to guess the primary admin email for your domain.
- Only run cron jobs which are 100% necessary for maintaining your WordPress site. Most cron jobs can be turned off from your cpanel, just make sure you don’t turn off one that you really need. See your web hosting company about this if you’re unsure.
Anymore questions or comments?
Post them here. I check reader feedback every day.
Happy and safe blogging my friends!