As a WordPress website owner, you already know that security plays a big role in keeping your operations safe from hacks and malicious attacks. But how do websites get hacked exactly? What is the process by which hackers attempt, and often succeed, in taking down WordPress sites with their attacks?
Even though the web has grown by leaps and bounds in the past few decades, not much has changed in how websites are hacked by bad actors. And the most important thing you should do to keep your site and visitors safe is to fully understand what these unchanging trusts are so that you can stay a step ahead of them.
In this comprehensive guide, we’ll show you exactly how websites get hacked, what the signs are that your site has been hacked, and a lot more. Let’s take a look.
The Massive Scale of Hacked Websites
Well over 1.2 billion (with a B) websites now comprise today’s version of the World Wide Web. And if you assume an average of a 3-second website loading time, it would take you over 160 years to visit every site in existence, without taking a second to rest.
That is an insanely massive web that is completely impossible for any individual entity to watch over safely. Although services like Google’s Safe Browsing does try to warn its users about sites that could be unsafe. Currently, it delivers over 3 million of these warnings to users every single day.
On sites scanned by a WordPress security plugin such as iThemes Security Pro, between 1-2% of all sites have at least one Indicator of Compromise (IoC) that reveals a current hacking attempt. Even if that percentage seems rather small to you initially, it really isn’t. If you take that percentage and divide it across all websites in the world, it indicates that around 12 million sites are currently infected or hacked by an attacker.
And that’s about the size of the populations of Los Angeles and NYC combined.
Simply stated, websites will always be huge targets for people with bad intentions. And the overall impact of any hack will be devastating to your business.
But there is good news.
Although there’s a big threat out there that’s harmful and persistent, our awareness of us, combined with the use of the right tools, will go a long way toward ensuring our sites remain safe from attack.
How Do Websites Get Hacked? The 3 Primary Ways
Throughout the last three decades of the Internet, we see that hacks nearly always land in three different categories:
- Access control
- Software vulnerabilities
- Third-party integrations
The reality is that it doesn’t matter if you’re running a site for a Fortune 500 or your local shoe store, the way that hackers approach their craft will look nearly identical.
But what does vary is how each business individually allows itself to be exploited in the first place.
- Large organizations often use the excuse of saying, “We thought someone else was handling the security.” This type of fog and miscommunication is common in large, complex organizations.
- Small businesses often believe that they are too small for any hackers to want to target. They’re often under the false assumption that hackers won’t touch them. This makes it easy to lose sight of how much private information really can be taken from even the smallest website.
In both such cases, hackers have the incentives and tools to carry out their goals in areas where there isn’t much vigilance about security.
Website Environments Have a Lot Of Activity
Before diving into the specifications of each type of hack, let’s first set an incredibly important foundation for how the web actually works.
Every website relies on a series of systems that are interconnected and work together. There are components such as DNS (Domain Name Servers), the web server, and the infrastructure that houses your various servers and connects them to the Internet.
Even if that sounds relatively simple, the underlying ecosystem is quite complex.
So many of the individual components are provided by specialty service providers. Even if you’re receiving a number of different services from a single service provider, there are still countless unique parts of the equation that function on their own.
Think of your website like a modern consumer vehicle. On the outside, it looks solid and streamlined, but underneath has countless moving parts that make it all work.
For the purposes of this guide, it’s not important that you understand all of the details about how your site works. But it is important to know that every one of these individual components will impact your overall WordPress site security.
And they each have the potential to contribute to how your site gets hacked.
Get the bonus content: A Guide to WordPress Security
1. Access Control
This specifically speaks to the process of authorization and authentication. Stated simply, access control is how you log in to your WordPress website.
And this goes beyond just the way you log in to your website’s admin panel. As we’ve already established, there are many different interconnected logins that work together behind the scenes of your site.
When thinking about access control, there are six specific areas you need to consider.
How do you:
- Log into your host panel?
- Log into the server (SSH, SFTP, FTP)?
- Log into your website?
- Log into your personal computer?
- Log into social media platforms?
- Store your username and password credentials for each of these variables?
It’s far too easy to overlook access control. However, each individual access point can offer hackers access to your entire ecosystem.
A hacker will also use a number of different tactics to gain access to a single insecure login point. Think of it like a house thief checking every potential entrance, then sneaking (or tricking you into) copies of your home pass codes or keys.
- Brute force attacks are the easiest to pull off and can be the most effective way in. With a brute force attack, the hacker tries to guess the potential username and password combinations in an effort to log in as a credible site user.
- Social engineering attacks are growing in popularity. A hacker builds phishing pages that are designed to trick a user into voluntarily entering their ID and password combination.
- Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks involve intercepting a user’s login credentials via the user’s browser.
- Man in the Middle (MITM) attacks are also used. With this, a user’s username and password are easily intercepted when a user works on networks that aren’t fully secure.
- Keyloggers and additional malware that monitors users will track input, then report them back to the hacker who infected the user.
But no matter what type of attack is perpetrated, the hacker’s goal is always the same: Gain direct access to your site via credible logins.
Regardless of the style of attack, the goal is the same: Get direct access via logins.
The iThemes Security plugin adds more protection for your user’s security. Your site’s security depends on your users having secure logins with strong passwords. That’s why iThemes Security offers multiple layers of security for users, including two-factor authentication, trusted devices with session hijacking protection, passwordless logins to verify a users’ identify, and breached password protection. You can even run user security checks to quickly audit and modify the most critical elements of your user’s security.
The next layer of security iThemes Security adds is protection for the most attacked part of your website, the WordPress login screen. iThemes Security offers two types of brute force protection to watch for invalid login attempts made to your website. Once an user or bot has made too many consecutive invalid login attempts, they will get locked out and will be prevented from making any more attempts for a set period of time.
2. Software Vulnerabilities
In reality, the vast majority of WordPress website owners aren’t able to address the security vulnerabilities in today’s software without a patch recommended to them by the software developer. The problem is that many developers don’t account for the threats that the code they write introduces to your site.
A small bug that doesn’t impact the intended UX (user experience) noticeably can be exploited to make the software do things that it wasn’t intended to do. And the most experienced hackers look at those bugs as potential vulnerabilities.
One of the most common ways they do this is by using a malformed POST Header, or malformed Uniform Resource Locator (URL) to initiate a number of different attacks.
- Remote Code Execution (RCE) which allows total remote takeover of the targeted site and system
- Remote / Local File Inclusion (R/LFI) which uses input provided by the user in fields to upload malicious files into a system
- SQL Injection (SQLi) which manipulates text input fields with malicious code that sends attack sequences to the server
In a similar way to asset control, vulnerabilities in software extend beyond the scope of the website. These vulnerabilities can be found and exploited within every interconnected technology a website relies on.
And most current sites use a mixture of third-party extensions, such as WordPress plugins and themes, which are all potential points of hacking intrusion.
Because vulnerable plugins, themes, and WordPress core versions are your website’s biggest security risk, iThemes Security goes to work scanning your website. With the iThemes Security Site Scan, you’ll know every time a plugin, theme, or WordPress core version on your site is vulnerable and needs updating. And even better … it will automatically run updates for you. Site Scan is powered by the most comprehensive vulnerability database available, so you’ll always have the latest protection. Site Scan also integrates with Google Safe Browsing to check your site’s blocklist status and for any known malware or suspicious files.
Here’s how iThemes Security’s Site Scan works to protect your site:
- Scans Your Website Twice a Day for Vulnerabilities – Your website’s plugins, themes, and WordPress core versions are checked against the WPScan Vulnerability Database for the latest vulnerability disclosures.
- Automatically Updates if a Security Fix is Available – Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.
- Emails You if Site Scan Detects a Vulnerability – You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.
3. Third-Party Services and Integrations
Lastly, there are the exploits that happen through third-party services and integrations.
Most often, these will take the form of advertisements through an ad network that leads to malvertising attacks.
These hacks will involve services that you use with your site and hosting, including variables such as your CDN (Content Distribution Network).
Third-party integrations and services provide enough interconnection between different parts of your site-management experience. In fact, that’s one thing people love about extensible content management system options such as WordPress, Drupal, and Joomla.
But the interconnectedness also provides points for hackers to exploit.
One of the biggest problems is how hackers exploit these services and integrations in ways that are beyond a website owner’s ability to control them. As a site builder or manager, you’ve put a ton of trust in third-party providers when you choose to use one of their integrations.
And, of course, many are diligent about securing their integrations.
But like with other things, there is an inherent risk. And it’s one that hackers always have their eyes on.
One of the ways iThemes Security works to protect third-party access is with secure app passwords for XML-RPC & REST API. This update allows for using username/password authentication for REST API requests so you can lock down the REST API (per our recommendation) while still allowing external tools that use the REST API to connect.
Protecting Your Website From Getting Hacked
WordPress website security matters. A big part of WordPress website security is education and awareness. And simply reading this guide has put you in a better position to secure your site.
Moving forward, there are specific steps you need to take. And it’s our goal to help you achieve them. Unfortunately, it’s only after something has already gone wrong that so many website owners finally get serious about security.
Instead, why not get ahead of the pain and make these steps to keep you out of it:
- Use the principles of Defense in Depth. This involves building security layers like an onion. Each practice makes it more difficult for hackers to get a shot into your ecosystem.
- Leverage the Least Privileged best practice. Make sure you limit what each site user’s login allows them to do.
- Create Two-Factor Authentication and Multi-Factor Authentication wherever you can. This will further secure those particular user access points.
- Use a website firewall. This will work wonders in limiting how hackers try to exploit vulnerabilities in software.
- Schedule backups on a regular basis. Download and install the BackupBuddy WordPress backup plugin as your solution for this. That way, if your site is ever hacked, you’ll be able to recover it with a few clicks.
- Get the perspective of the major search engines. Bing Webmaster Tools and Google Search Console both provide useful reports on how they view the security of your site.
The best way to cover these security bases as a WordPress site owner is by using the iThemes Security Pro plugin.
Then understand that there’s no fool-proof way to stay 100% secure at all times. The tools you employ within your website environment will significantly reduce your overall risk. But security is not a single action or event. It’s a series of actions.
And it all begins with a great tool like iThemes Security Pro that will help walk you through how to best secure your site.
Now that you know what to do and what you’re looking for, you’ll no doubt come across one of the security scenarios we’ve covered in this guide. But now, you’ll know better what to do to remediate the problem.
Kristen has been writing tutorials to help WordPress users since 2011. As marketing director here at iThemes, she’s dedicated to helping you find the best ways to build, manage, and maintain effective WordPress websites. Kristen also enjoys journaling (check out her side project, The Transformation Year!), hiking and camping, step aerobics, cooking, and daily adventures with her family, hoping to live a more present life.