If you’re a business owner with a WordPress website, you’re probably already aware that it’s important to keep your website secure. Maybe you’ve already taken a cybersecurity course, or have put policies in place to ensure that your employees are using good login etiquette: sufficiently complex passwords, a password storage solution, two-factor authentication, and so on.
It’s important to keep your website secure, and we find people are more motivated to adopt good website security practices when they understand exactly why those practices are a good idea. The why is really a story of intent. Why would someone want to hack your WordPress website in the first place?
As of this article’s publication (October 2021), WordPress powers nearly 40 percent of the internet — about 455 million individual sites. Some of those sites are highly secure; a lot of them aren’t. But if hackers are looking to break into a website or steal information, they know that there are plenty of WordPress-powered targets out there.
WordPress is open-source software. Open-source means that the source code is “open” — that is, freely available to anyone who wants to view it. This is in contrast to proprietary software, like the kind developed by Apple, for example. Proprietary software is private intellectual property, and is therefore only visible by certain company employees and stakeholders.
Software updates and patches for WordPress plugins, themes, and core files are often released because someone finds a vulnerability; a hole in the code through which a hacker or virus could access sensitive data or make changes.
The nature of open-source software means that these vulnerabilities become public knowledge quite quickly — when WordPress or an independent plugin developer provides release notes for a software update, those notes effectively provide a road map for hackers who want to exploit a vulnerability. This is why it’s so important to keep all of your WordPress plugins, themes, and core files up-to-date. By installing updates as soon as they come out, you’re staying one step ahead of hackers. Of course, assuming that you already have a solid server managed by a reputable hosting company, with a firewall, CDN, strong passwords, backups, monitoring and all the rest.
First, online threat actors will look for sites that have a specific vulnerability. In this first stage, it’s probably not going to be a real person poking around your site. It’s usually a bot or script that is scanning the web, looking for known vulnerabilities in sites. We routinely see this in firewall logs: the same IP address querying a series of odd URL strings and parameters. This kind of traffic gets blocked by our firewall, but similar traffic often goes unnoticed by websites that are not actively managed.
When that automated script brings back the address of a vulnerable site, then another script or a human will take over. At this point, the hacker knows the site is vulnerable, so they’ll start prodding at the code, trying to find their way in.
The motivation for doing this varies depending on the type of actor in question. We’re not cyber security consultants or IT forensic analysts. So, we’ll gladly defer debates about the types of hackers to those experts. But, there are a few major categories that we are aware of and watching out for with regards to WordPress websites.
Now you know how vulnerabilities can arise and be exploited in a WordPress site — but who is it, really, that’s trying to exploit them? Are you imagining a hooded figure, typing furiously on a laptop in a darkened room? The term “hackers” gets thrown around as a catch-all, but it’s actually a bit more complicated.
Entities — whether human or software — that try to do bad things to websites are often referred to by cybersecurity experts as “threat actors”. There are many different kinds of threat actors, but we can group them into a handful of rough categories, as follows:
Also called “ethical hackers”, these are typically consultants or companies that are paid by organizations to look for and expose vulnerabilities. They are paid and authorized to do this work within the bounds set out by the organization employing them. They do good work, as they help protect companies from cybercrimes. We greatly appreciate and respect companies like WordFence and Sucuri for the work they do. So white hat hackers aren’t a concern at all. Moving on…
Yes, these are the opposite of white hat hackers. Black hat hackers seek to gain access to organizations’ systems and data without authorization, which is a crime. The various methods that they use to get into these websites are also usually criminal in nature. Once they have access to a WordPress website, black hat hackers will use it for personal gain. There are many ways they can do this, such as:
Essentially, anything that is in your website that is not publicly accessible and that has intrinsic value to you or another entity is something that could be targeted. If a hacker knows that you don’t have backups, your own website becomes a potential ransom target. Don’t be fooled into thinking you’re safe just because your business is small, or because you’re located in North America. Your website may still be worth targeting.
As an aside, you might also hear of “gray hat hackers”. These are the same as black hat hackers in that they aren’t authorized to access websites, and may use illegal means to gain that access. Gray hat hackers, however, aren’t usually interested in financial gain so much as they are in the thrill of finding cracks in your defenses.
There are other colours of hackers: green, blue, and red. These are all subsets of the above three groups, categorized by whether or not they have permission to access a site, and by what they tend to do when they gain access. For example, blue hats are well known for their work in helping companies like Microsoft find vulnerabilities in unreleased products. Green hats are newbies. Red hats are vigilantes. They combat black hats, but their methods are still unethical.
Ransomware is the bread and butter of black hat hackers. You’ve probably heard of ransomware — usually, this is a worm or virus that finds its way onto your computer and holds it “ransom,” by locking users out and encrypting all of their data. The threat actors in these cases will usually demand a payment (a bank or bitcoin transfer, perhaps) in exchange for the return of the computer.
While this is a more common challenge for our IT partners, we still want to comment on it here because a link injected into a website could lead to ransomware that infects devices. With that in mind, please make sure that you have backups in place and have talked to an IT professional to help protect your company and computers from this ever-increasing threat.
This is the least sophisticated group, but as a threat to your business they should be taken no less seriously. So-called kiddie hackers or “script kiddies” are similar to vandals — they’re often people who download pre-written malicious scripts off the dark web, and use them more or less for a laugh.
Kiddie hackers are generally not organized or skilled enough to pull off a ransom attack or a major information breach. They’ll stick to doing things like altering a website’s code, replacing website images or text with profanity or foreign-language content, or redirecting site visitors to phishing sites or illegal ecommerce. Sometimes, it’s just a game.
Regardless, this can be both annoying and embarrassing for companies, and can result in lost business and damage to a brand’s reputation or trustworthiness.
These are people or groups (such as Anonymous) who go after large corporations or governments that are operating in unethical, underhanded ways. These hackers see themselves as robin hood-esque figures.
The general goal of these groups is to keep corruption in check, and they perceive themselves as working toward a greater societal good, by exposing the misdeeds of billionaires, monopolistic corporations, and corrupt government officials. The information they gain is often tied to a political or social cause.
The internet is not only big business — it’s a political platform as well. So it should come as no surprise that a lot of political subterfuge happens in the form of hacking and malware.
Some hackers are doing the work of foreign agents, messing with websites and online infrastructure in order to push a certain state’s agenda. Russian hackers, for example, have been reportedly working for years to manipulate American politics, and there are many similar campaigns going on throughout the world. Like the robin hood hackers, these threat actors aren’t so much interested in petty theft or vandalism, but in large-scale social engineering.
This last group is only worth mentioning because they are working for the organization that is being breached. The insiders are most often motivated because of a personal grudge or because they have information about unethical or illegal activities within an organization.
Hacktivist and state-sponsored threats are generally outside the scope of what we deal with — we don’t do business with organizations in industries known for corruption, and threats at the state level are best dealt with by government authorities.
The threats that we do have to be cognizant of are black hat hackers, ransomware, and kiddie hackers. We’ve seen websites get taken offline, or have their traffic redirected to suspicious URLs. In particularly insidious cases, users can get redirected to a website that, at a glance, looks exactly like the site that they were intending to visit, but that is designed to trick them into providing personal information.
Sometimes kiddie hackers and similar threat actors will try to steal information by sneaking something into the code of a website. Just like credit card skimmers which can be installed on ATMs and gas station card readers, bits of code that capture entered credit card information can be hidden in websites, skimming your personal financial information from transactions that are otherwise above board.
Links to scam websites can also be embedded in the content of a legitimate site. These types of embedded links not only hurt users, but they can get your website blacklisted if Google finds a link between your site and a suspicious domain.
Ecommerce sites that process credit card transactions need to be Payment Card Industry (PCI) compliant. PCI compliance is a standard for encryption in credit card transactions that happen online. It ensures that credit card information is being processed through a completely secure gateway, and that the information is not shared with anyone aside from the user.
This is why we don’t offer a lower-tier security plan for ecommerce websites — if you own an ecommerce site, you understand the need for more thorough security measures.
The majority of the traffic you’ll encounter on the internet is good, but it’s important to be cognizant of the bad traffic — not only in terms of what to look for, but in terms of what can happen if you’re lax with your security measures. Keeping your WordPress website updated, and investing in security measures like firewalls and monitoring are some of the best ways to keep your data safe.
If you have any concerns about the security of your WordPress website, please don’t hesitate to contact us.
We shared this article on LinkedIn on Nov 25. Anwar Visram of Visram Security was kind enough to write an email suggesting another reason why someone might want to hack your WordPress website. Anwar pointed out that “hackers often want to gain access to websites as a ‘launching’ pad to target other companies as a way to hide their tracks”. This is very true. Imagine a scenario where you are a small supplier to a much larger company. Your site may not be the target. The larger company is the target. But, a hacker might infiltrate your site as a means to access some information related to that larger company. Or worse, they might even inject something into your site knowing that someone from that larger company may click, download or interact with something within or sent by your website (yes, poorly managed websites can send emails to unsuspecting users). You are a trusted supplier to this larger company. So, the staff at that larger company might not be as diligent when on your site or reading emails from your company. This is why larger companies will often demand that suppliers provide information about their security and business continuity practices before hiring them. Secure suppliers get hired!