Why Do WordPress Websites Get Hacked?

Have you ever wondered WHY someone would want to hack your website?

Not how, but why sites are targeted by hackers, and what is the point?

Why would someone want to hack say a Joe-Schmoe’s site, a Church, a non-profit or fundraising website?

It’s Usually Not Personal

The majority of hacked websites are targeted by automated Bots. Your web site is scanned by a bot, a vulnerability is found, and added to the list.

Next thing you know your sites been hacked.

Don’t get me wrong there are absolutely hackers manually attacking websites for various personal and political reasons, just know the majority of attacks are not personal and your site got caught by a Bot.

And once your site is on the bot’s target list, it will come back again and again attacking the site. So once you are hacked, you are at higher risk to be hacked again.

How do Bots find websites to target?

Again with the understanding these are programs designed to find vulnerabilities, there’s plenty of resources for the developers of these bots to scrape from and add to their list of vulnerabilities.

Understanding Disclosures

One interesting thing about the internet and security is disclosures.

When a security professional identifies a vulnerability in an application it is usually reported to the author of the application.

It is common to give the author 90 days to respond and fix the issue. If after those 90 days have past (or the author does update and fix the vulnerability) the vulnerability is disclosed publicly.

Vulnerabilities are Disclosed and CVE’s Created

Usually the security professional posts on their website or for their company about identifying the vulnerability, the vulnerability is then vetted and possibly added to the National Vulnerability Database and assigned a CVE (Common vulnerabilities and Exposures) number.

Many times this also includes a POC (proof of concept) and can include simple code to actually exploit the vulnerability.

Don’t forget about undergroup hacker groups who know about these well before the CVE is created and disclosed to the public.

It’s interesting because once these are disclosed a mass wave of infections begin to occur.

Unfortunately, the alternative is what? Not disclose and let the vulnerability go unnoticed and unknown to the applications authors also keeping them secret from Firewall and security providers/corporations/individuals etc?

It’s definitely not a perfect system, but it’s the best we have right now.

It’s categorized and added to the known list of vulnerabilities.

For example let’s say a new plugin vulnerability was disclosed. Hackers with their bots will get the vulnerability added to their systems, it will then scan all of their known websites for the vulnerability and auto-exploit each one.

All this time the bots are finding new systems, searching for new websites, it’s an endless automated cycle.

WordPress is a target for Hackers

WordPress being the most widely used CMS is highly subject to attacks just by the shear number of websites using it.

This also means it has a massive amount of 3rd party Themes and Plugins, not all (most are not) application authors security conscience.

Just having more than one plugin, even if the plugin itself is secure, can allow another plugin to become vulnerable.

Most Wordpres Websites have multiple plugins with some sources saying the average number of plugins a site uses is between 20-50!

That’s a lot of opportunity for one of those plugins to have a vulnerability!

Knowing this, makes WordPress a prime target for hackers.

So what’s the point of hacking a website?

An interesting question, why do hackers and bots hack websites. I think there’s the obvious cases such as ecommerce sites to steal credit card and personal information.

But what about those other sites, the ones not collecting credit cards, the ones who just want to tell you the best local fishing hole?

The fact of the matter is, these groups, creating the bots don’t care who or what, you were caught by their bot.

The Number 1 Reason sites get hacked is to steal credit card and personal information.

Stealing traffic and redirecting to shady sites, which then steal your credit card and personal information if you place an order and your money.

That’s why you’ll find a lot of malware infections around the pharmaceutical industry.

Hackers will create fake websites for prescription drugs, use the sites they hack to redirect the traffic to their own temporary spam sites.

When someone places an order, they steal the credit card information and take the money.

Sometimes they’ll just add the pages to order right on your website as well.

Many of these hacks will create hundreds or thousands of spammy pages on the sites they hacked, google then indexes the site and you end up with thousands of spammy SEO listings all tied to your site.

The Number 2 Reason sites get hacked is to create bot nets.

Not only do bot nets help the hackers stay anonymous, it makes easy money selling bot net access to other groups.

When a large number of websites are hacked, the hackers can control these systems to do a number of various things.

One example is a DDOS (Distributed Denial of Service) attack. When you control many computer systems you can attack one target from all of these systems, disrupting service to that system.

You’ll find this often in online gaming. You can easily DDOS someone now for a few bucks and you’ll find these offers available many underground forums.

Renting the botnet out to other hackers is also done, again to keep anonymity when those hackers are manually or automatically hacking more systems.

I’m sure you’ve seen in movies where there’s a hacker, and they start talking about proxies.

“We’re trying to pin-point his coordinates but the connection is bouncing off multiple proxies in Berlin, Moscow, Virgina, give me just a few more minutes to identify the source!”

The Number 3 Reason sites get hacked is for Notoriety

We won’t elaborate too much on this but some people think it’s cool to deface a website and put up their logo or alias.

Yes, these are usually teenagers learning how to hack and end up practicing their skills on unfortunate websites.

They’ve read a few things online, they’ve gotten access to a server, and they deface your website.

Protecting your WordPress website from hackers

Don’t worry, it’s not all doom or gloom. Knowing the majority of attacks are not targeted but automated bots crawling the web there’s a few simple things you need to do to prevent the majority of hacks.

Always use a Web Application Firewall

Cloudflare and Imperva are the most well known and popular Web application firewalls.

A web application firewall is different than a security plugin such as Wordfence and offers better outside protection.

The reason is, Web Application firewalls work at the DNS level. They are configured in DNS which means the IP address your site is hosted on will no longer be visible from the outside.

The firewall filters the traffic before it reaches your site, automatically blocking the majority of the automated bots before they even have a chance to test your website for vulnerabilties.

So if you don’t already have a firewall setup, make it the next thing you do. Cloudflare is recommended since they offer a completely FREE Cloud based, DNS firewall.

Always keep WordPress, Themes and Plugins up to date

Login to your WordPress Admin and make sure themes and plugins are the latest versions.

Use our Free WordPress Theme, Plugin and Security Scanner to check for any known security issues.

Remove any unused or deactivated plugins

Even if Themes or plugins are not activated they can contain vulnerabilities which can be exploited and allow your site to be hacked.

Make sure you go through and delete any non-active Themes and plugins.

Leave a Reply