Attackers are constantly developing new ways to target people. One of the favorite tactics we've seen from them over the last couple of years is that they find and break into vulnerable WordPress websites, then use the sites for phishing, distribution of malware, and command and control. Once the attackers break into the website, they load WordPress plugins that allow them to turn the site into a zombie and do with it what they like.
According to ManageWP.com, WordPress is the most used content management system for website creation, with a 59.4% market share. One of the main reasons for such a large adoption rate is that WordPress is very easy to setup and use. However, after initial deployment, many WordPress sites are not maintained, or not run by people with honed technical skills, leaving them open to attack.
Plugins, themes, and even admin accounts offer vulnerabilities in WordPress websites that may be exploited, but how do attackers locate these vulnerabilities and embed code? It's fairly simple; there are numerous scanners that can be enabled to find website vulnerabilities. All a person has to do is purchase one online. Once the sites are found and a website exploited, the attacker has carte blanche access to load whatever content will make them the most money. Here are the latest trends we've been tracking regarding their money making activities.
For the last couple of years, the trend has been for an attacker to load exploit kits onto these hacked websites to find vulnerabilities in visitors' web browsers. These exploit kits fingerprint the browser and the operating system, slinging exploits at the browser until a vulnerability is discovered. Upon successful exploitation, a malware or ransomware payload is dropped. Once on the system, the payload begins its dirty work of giving control to the attacker.
In the last ten months, though, we've sensed a new trend. Attackers have backed off of these exploit kits in favor of harvesting clicks. Click harvesting is being done via a WordPress plugin loaded onto the hacked WordPress site. When a user accesses the hacked WordPress website, they are shown ads that, if clicked, make money for an attacker. Click harvesting is a simple-yet-effective way to increase advertising pay-per-click revenue that doesn't draw much attention from law enforcement.
Most recently, we've seen a marked trend in attackers breaking into WordPress websites and loading cryptocurrency miners. These types of attacks steal your computer cycles to make money mining Bitcoin for attackers, while also slowing your computer to a halt.
The most common way WordPress sites are hacked is through vulnerable WordPress core software or third-party plugins. This makes regular patching and updates our number one recommendation for securing WordPress. Check with your hosting provider to see what kinds of services they offer to keep your website up to date. If you're running WordPress as a standalone application, you'll need to pay attention to the WordPress Security blog.
Weak passwords are another common theme in WordPress attacks. Ensure that you are not logging into your WordPress site with "admin" as your password, and that everyone with access to WordPress is using a non-guessable, unique password. Also make sure that all admins enable two-factor authentication.
If you're looking for other security tips to keep attackers from taking control of your website, checkout the Sucuri WordPress Security Guide for a comprehensive list.
If your WordPress website is hacked, you'll likely end up on Google's hacked website list. To get traffic flowing to your site again, there are a number of steps you can take. These steps include:
Take a look at Yoast COO Michiel Heijmans' post on Five Things to do after a Hack for details on each step.
Hacked WordPress sites are a liability about which every security practitioner must be aware. If your users visit sites hosted on WordPress, they are guaranteed to be served malicious content at some point. It's important to have layers of security controls in place to protect your users. Ensure your firewall or proxy rules are kept up to date with new information on domains that have been hacked (and those that have been cleaned are removed). These hacked websites are another good reason why on-the-go users should always connect back to your corporate infrastructure via a VPN.
Hacked WordPress sites are not going away anytime soon. With some preparation you can keep both your company website and your users safe from this type of attack.
Learn about defending your organization from the latest vulnerabilities and exploits at InfoSec World 2018, being held March 19-21, 2018 in Orlando, FL.