How Can a WordPress Site Be Hacked?

WordPress is a popular CMS (Content Management System) tool used in creating websites. Its flexibility and ease of use have allowed WordPress a higher market share of 65% over other CMS and has 42.4% of all websites developed with WordPress. Unfortunately, due to its popularity, WordPress also draws interest to attackers/hackers.

The following are the main areas that facilitate the hacking of a WordPress site:

Using Outdated WordPress Core

WordPress core refers to the files that are required for WordPress to be functional. Outdated versions of WordPress Core may be vulnerable. For instance, CVE-2016-10033-RCE is a known vulnerability affecting WordPress version 4.6. The vulnerability allows for remote code execution by an attacker. The core WordPress software requires to be frequently updated to avoid threats from known vulnerabilities in outdated versions. 

Using unsecured or outdated themes or plugins

WordPress themes and plugins can be easily found over the internet. Some are freely distributed, while others are paid. However, these themes and plugins are not always securely configured. Therefore, once they are used to build a WordPress site, they can compromise the site's security, more so if they are downloaded from an unreliable site. Also, if not updated, they pose a threat to security as updates are usually additional features of patches that fix existing vulnerabilities on these assets. 

Using insecure web hosting platform

This is a common attack entry vector for WordPress sites, making up to 41% of attacks per the WP template infographics. It is not uncommon for Webhosting companies to not correctly secure their platforms, making sites they host vulnerable to attacks. To resolve this, it is advisable to choose a safe and known secure web hosting provider or have a managed WordPress provider. 

Using weak passwords or unprotected WP-Admin 

Weak passwords are a known vulnerability to any system because they can easily be brute-forced or guessed by hackers. The WP-Admin is responsible for providing access to the WordPress site management. It is recommended to use a strong password to protect the WP-Admin area.  

Password attacks are common on WordPress sites and can be done through brute force or dictionary-based attacks. Attackers can use security tools such as WPScan to perform these password attacks and even identify other vulnerabilities within site. 

Use of plain FTP for file transfers

FTP is a protocol used in uploading files to the web server by using FTP clients such as FileZilla. However, while using plain FTP, the passwords are sent to the server unencrypted, thus making it easier for a hacker to gain access to the credentials if the traffic is spoofed. This can be fixed by using SFTP or SSH. 

Unsecured wp-config.php file

The wp-config.php file is the file that normally contains the credentials o the database login. Once not secured and accessed by the attacker/hacker, it can potentially reveal these credentials, thus providing the hacker access to your website. This can be avoided by denying access to the file from the .htaccess file. 

Luckily, you can scan the vulnerabilities you might face from a selection of Free WordPress Security Assessment Tool List.

DDoS Attacks 

These attacks are among the common attacks on websites and are carried out by flooding requests to the servers that lead to the server crashing or slowing down the website on request. 

The security for everyone team has done penetration testing on many WordPress-based sites so far and has more than ten years of experience in this field. If you have a website and want to try S4E services, you can click on the following link. Also, don't forget to get in touch with any questions you may have.

References

• https://w3techs.com/technologies/overview/content_management
• http://www.wptemplate.com/tutorials/safety-and-security-of-wordpress-blog-infographic.html
• https://securityonline.info/cve-2016-10033-wordpress-4-6-rce-vulnerability/