One of the most crucial aspects of your new (or old) wordpress sites is security. This article is written to help you understand the fundamentals of WordPress security, we aim to give you knowledge to understand “who” is attacking your wordpress site and how they can potentially succeed and get into it.
A really important thing to ask yourself is “Who is attacking my site?” We’ve broken this down into 3 categories that stand out as the most common means of attack.
- Humans: There is someone sitting at a PC physically looking for exploits and probing it for vulnerabilities. Focuses on attacking one site at a time. Slow but very thorough and usually target high value sites.
- A Single Bot: This is usually an automated program or script that a hacker uses to attack many websites in an automated way. Looks for common vulnerabilities. Can attack multiple small sites at once.
- A Botnet: This is usually a large group of machines running programs that are co-ordinated from a central server. They are attacking many websites in an automated way. They can be spread across a number of IP addresses and can number in the thousands.
Credit to WordFence for image
Having a human manually attack your website is quite rare, especially if you are not a well known business or individual. It’s rare that sites are singled out but it’s even rarer that the singled out sites are attacked by an actual human.
If you are targeted by a person, the level of the attack is far deadlier than when you are targeted by a bot net or single bot because the attacker is able to control the speed at which they gather the information from your website and avoid setting off any hack-detection counter measures in place. Then they have the freedom to try a few small attacks while being very careful not to alert you or the counter measures that are used to protect your site. They are able to see the results from each attack and decide on how to proceed with the results that they acquire.
Single Bot And Botnets
Bots are programs or scripts written by hackers that are able to target a large number of websites looking for vulnerabilities in common software such as WordPress. It is very easy to write a program that visits 1000’s of websites, quickly checking if a particularly vulnerable version or outdated version of WordPress is running, and when found to exploit the security hole.
Bots can be individual scripts or programs running on a computer or a large number of computers running multiple instances of the program all working for the same purpose. Trying to hack into an absurd number of websites together. This is called a “Botnet”
Most of the attacks that target WordPress are performed by botnets. There is a silver lining to it though, m ost of these attacks are not nearly as dangerous as a professional human hacker physically probing your website for vulnerabilities. But the bad news to this is that if there is a vulnerability or exploit in one of the plugins on your website (Which is caused by keeping your WordPress version and plugins out of date, happens more often than you think) then the botnets are quickly able to compromise a large number of websites.
Why are They Attacking my Website?
The primary goal of a hacker is to gain access to your wordpress website on an admin level. That means they have full control over your files and data in the database. It also means they can modify your files to leave backdoors for future exploits once you deal with them, leaving you just as vulnerable all over again.
They do this for the following reasons:
- To send spam
- To host illegal content (Which includes but is not limited to drug sales, pornography etc) Hosting bad content on a domain that has a clean reputation allows them to avoid spam filters.
- To steal your website data
- To attack other websites (Which ultimately makes your website become a part of the “Botnet”)
How to Protect Yourself
- Use strong passwords for all user accounts (Make your passwords excruciatingly long with a mixture of capital letters and symbols, store them in a text file on an offline device)
- Choose a very reputable hosting provider
- Keep WordPress, plugins and themes up to date at all times
- Use an intrusion detection system and captchas where applicable
- Ensure that there are no sensitive temporary files lying around on your site.
- Use plugins carefully. Some plugins are vulnerable. Delete plugins and themes if you are not using them
- You can also delete the Admin user account. Before deleting admin user you must create another account with same Administrator level permissions with a strong password.
We hope this article has been useful to you as an introduction and run-down of WordPress security and vulnerabilities.