Site hosting news, tutorials, tips, How Tos and more

How does a WordPress site get hacked?

WordPress is one of the most popular applications on the web with over 74 million installations – that’s a staggering 35% of all the active websites! Unfortunately, with its massive install base, it is natural for hackers to focus a lot of attention on hacking WordPress sites.

In this post, I’ll describe the most common attacks and what you can do about it to lessen the probability of being a victim.

In general, we have found that hackers compromise WordPress installations mostly by one of the two following methods:

  1. Brute Force dictionary attack

Hackers operate many bots that worm through sites and test random login and passwords in the WordPress Admin page.

To get an idea of the scale of attempted logins we’ll take a look at some stats from our own infrastructure. At Winhost, we deploy an Intrusion Prevention System (IPS) on the network edge to detect many malicious activities and try to stop hackers before requests hit our servers. We have rules deployed on the IPS system to thwart Brute Force attacks. However, we cannot make the rules too aggressive because then it can block legitimate requests. It’s a delicate balancing game which we tweak constantly.

Based on the statistics of our IPS system, we typically track 9-10 million WordPress login attempts a month (both malicious and legitimate attempts). Check out the plot below.

IPS

About 20% of these attempts are blocked by our IPS system.

2. Outdated Plugins / Themes

Many WordPress sites use various plugins and themes to enhance their sites. The problem is that many plugins and themes have security holes that allow hackers to upload malicious files to the server without the need to log in as an administrator. As a result, we constantly see malicious bots testing for these plugins.

What does Winhost recommend to protect your WordPress site from getting hacked?

Credential Security

<?xml version="1.0" encoding="UTF-8"?> 
<configuration> 
    <system.webServer> 
        <security> 
            <ipSecurity allowUnlisted="false"> 
                <add ipAddress="1.2.3.4" allowed="true" /> 
            </ipSecurity> 
        </security> 
    </system.webServer> 
</configuration> 

PHP Version

Set your site’s PHP version to 7.1 or above

Update WordPress Frequently

Backup Site and Database

We recommend that you backup your site and MySQL database. We recommend you keep at least 2 weeks worth of backup because you may not realize your site is hacked immediately. Don’t rely on Winhost’s nightly backups because it will only store about 3 days worth of backups. You can automate the backups by using our SiteBackup service.

SiteLock Security service

Consider subscribing to SiteLock Premium or Enterprise Service and enable SmartScan. SmartScan will check your site daily for malicious files and also report on newly created files.

What we do at Winhost to protect your WordPress site

Visit Winhost to learn more about our WordPress Hosting solution

Rate this article
   

No responses yet

Have a comment? Make it here!

This site uses Akismet to reduce spam. Learn how your comment data is processed.