Are you careful enough?
Today, WordPress is a trending name for both developers and users because of its large community, ease of use /access , growing popularity and dynamic and progressing updates and changes. Since, It is reaching heights and establishing its name in the list of one of the top website development tool, it has been a prime target for hackers too.
How Do They Hack It?
There are different levels of hackers in the web. Some have higher level of knowledge of fetching unauthorized data than other. So, to stop them from retrieving or modifying or deleting your personal data illegally we need to know how they work and what are their possible approaches to get inside (in the context of web development ). Below are some simple yet effective hacks.
Brute Force Attack :
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. – Google
In brute force attack , the attacker will use an automated software where he will program the software to take consecutive guesses . A hacker can use it to obtain username/passwords, email addresses etc.
In WordPress brute force attacks can be easily executed by a hacker, if proper caution is not taken.
Here, we can see that an attacker can easily get admins username with just a simple url that is : `linktoyourwebsite/?author=1` and try and replace with 2 ,3 ,4 ….
Then the attacker can brute force the WordPress password without having to worry about the user name.
Brute Force attacking tools can guess up to 500 passwords a minute, and the server administrator would not know about it without a server log monitoring tool because the website will be responding fine.
Nmap NSE Script, Skull Security password lists , Burp Sprite ( Specially for WordPress ) are some tools used for Brute Force Attacking.
Capture Credentials on “UN-secure” login:
If you are connected in an unencrypted connection with no security measures on your web server(ssl) and try to access the dashboard ,an attacker can simply get your login credentials by just monitoring the network data packets. Wireshark , Smart-sniffs can be used to do so.
WordPress rely on themes and plugins to make a proper functioning website. This has its positive aspects and its negative aspects.To focus on the negative aspects, they are developed by different programmers with different backgrounds and different level of programming/ developing knowledge.For this reason there are thousands of exploitable vulnerabilities are available to an attacker.A simple glitch on the theme/plugin and an attacker has different options to choose from like XSS (Cross Site Scripting ) , SQL injection, file upload and code execution to contain a website.An example of application hacking using sql injection if a plugin uses open query instead of WP query in wordpress and has not sanitized and escaped properly.
Server Attacking :
A successful brute force attack against the server can lead to web server account hacking and can be very hard to recover.Using reliable servers to be safe from DNS spoofing and phishing is very important.We should also keep in mind that brute force attacks are possible on your server accounts too.Services that can be attacked with brute force password guessing include:
- SSH Service
- MySQL database service
- Webmin Server Management
- CPanel & WHMCS Web Hosting Control Panels
- phpMyAdmin database management application
Hardening Your Website:
Being Safe From Brute Force:
One of the simplest methods to be safe from brute force attacks is using a very strong passwords . I recommend using the passwords generated by WordPress on installation itself.Another way could be using different passwords for different accounts
Following WP standards:
WordPress standards are maintained for a reason. Its not just a showing off process or a process to keep code clean. It can help reduce glitches and loopholes on our website.It can also help to rollback from a hacked website
Restricting Plugins and themes from untrusted sources:
Plugins and themes should only be downloaded and installed from trusted sources. Some plugins/theme from unauthorized sources can be malicious whereas others could have loopholes where an attacker can get through.
Validating, Sanitizing and Escaping.
Always validate your input fields, Sanitize them with different sanitizing functions before letting them enter into the database and escape while publishing the data from the database. This will reduce the chances of getting your website attacked drastically.
Tools to help you find the nasty bugs.
(Reference from Online Scanners – Attacking WP )
OpenVAS Vulnerability Scanner – openvas.org
An open source vulnerability scanner with a collection of plugins that number close to 30000, the plugins test many different aspects of a system or network device.
Nmap Port Scanner – nmap.org
Test for open ports and how effectively a firewall is protecting a system with the well known Nmap Port Scanner. A well configured firewall that only allows access to required services makes an attacker’s job much harder.
Nikto Web Server Scanner – www.cirt.net
A vulnerability scanner that focuses on a web server and looks for known vulnerable scripts, configuration mistakes and other web server items of interest. The Nikto tool that has been around for many years yet still has a place in the penetration tester’s toolbox.
Metaspliot – www.rapid7.com/products/metasploit/
Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit framework has the world’s largest database of public, tested exploits.
In a nutshell, if we do keep these simple thing in mind and follow WordPress standards we are safe from the “ soft and easy” attacks which can prove to be lethal for our website. If we are prepared for these kind of attacks the chances of our wordpress website to be successfully hacked will drop drastically.
Moreover, Keeping WordPress, its themes/plugins updated , Using SFTP instead of FTP to encrypt your credentials, securing and backing up your database can be handy to keep your website safe, after all there is no such thing as too much security.