A question usually asked about security is “why would anyone want to attack me?”. After setting up a WordPress website for the first time, this is a seemingly reasonable question to ask, as there is no legitimate reason to attack you personally. Few people know about the site and it doesn’t contain anything valuable. Why would it be a target? Unfortunately, massive automated attacks are common and arbitrary, and servers are under constant attack the moment they connect to the internet. The source? Massive amounts of automated “bots”. It is estimated by various sources that between 30-40% of all computers are infected with some sort of malware, putting that number in the hundreds of millions.
How a Botnet Conducts Attacks?
Once infected, these bots consist of a set infected computers acting as “agents”, given orders by one central server, they may have been infected via malware or browser, or be voluntary attack nodes, but they can grow to a massive number controlled by a single group, usually for the purposes of crime. In 2014, a security company named Sucuri recorded WordPress attack analysis through one of its “honeypot” systems, left as deliberate bait. They spent 23 days recording login attempts. This is one way that attacks happen, simply trying to brute-force the login password, and it’s the easiest to conduct, hence the most common. In the period of 23 days there were over 2 million login attempts, originating from about 200,000 IP addresses. Attacks per day ranged between 17,000-200,000 login attempts, aimed at both ‘admin’, and a range of guessed usernames inferred from the site’s domain name (such as the domain name itself, and variants).
Missing an update or using a plugin that hasn’t been properly vetted (and is known to have security flaws) can leave a large number of sites open for instant takeovers, and “botnet” owners will use this information. With around 75 million people using WordPress, there is a high chance of hitting at least one leak link in the owner’s security if enough sites are tried. Typically, the goal is to insert malicious or personally beneficial code, to the greatest extent possible. Some botnets will install copies of themselves to spread further, but if the security settings are too strong it’s likely site vandalism (inserted ads or backlinks) will be more likely, and can be a big hassle to remove. If eCommerce is handled via the site, the theft of personal data may also be a factor. Fortunately, since version 3.7 if set up correctly WordPress updates itself with security fixes. While this updates WordPress itself, the core, it doesn’t update plugins, which have to be kept up with manually.
Ways to decrease your vulnerability
Cleaning a hacked WordPress site is no fun. There is a lot that goes into cleaning your hacked site and you want to avoid it at all costs! Here are some ways to be proactive and decrease your vulnerability:
- If you have multiple users, some of these suggestions are best implemented to avoid them accidentally creating a weak login. A good example of this is implementing and requiring “two-factor” authentication.
- Make sure the plugins you’re using are well-programmed and well-rated by the community, and make sure to keep them up to date. The reason quality control is important is that if a bug is discovered, it may take some time for the author to patch the plugin and release an update.
- Keep as little of the details of what “powers” your site visible as possible. One easy way botnets scan for exploitable versions of software is the version number, so obscuring it where possible is ideal. Hiding your WordPress version number, theme name, and any other clues will make your site harder for botnets to identify.
- Changing the location of wp-login.php to login.php or a different filename can prevent brute-force password attacks, as botnets will attack the wrong page while trying to log in, smarter ones will give up after enough “file not found” errors.
- Using a different username from ‘admin’. This is the default username used when a botnet is trying to break a password initially, as it makes up the majority of logins. Where possible, use an admin username that’s entirely unrelated from the nature of the site and change the ‘admin’ username to an account without any powers. This may also trick bots into thinking there is a legitimate admin user, and waste their time on that particular username.
- The biggest step you can take to protect your admin section is to enable two-factor authentication. This is offered through several plugins using Google Authenticator.
With measures like these in place, your site will be a far lower target for automated attacks, an unfortunate reality of being online.