WordPress Security Who is Attacking Your Site and Why

[WordPress Security] Who is Attacking Your Site and Why

Today we explain why seemingly insignificant WordPress sites are being attacked and who is behind it.

People are constantly asking us why their seemingly insignificant sites are being attacked. It is hard to understand what value a low traffic site on entry-level hosting might hold. Unfortunately, an attacker views your website as a juicy collection of resources they can use, generally to make money. People who attack WordPress sites are just criminals with technical skills, criminals who exploit any vulnerability that they can find.

Your web server is a computer that can be used to run their programs. It’s connected to the internet and likely has a squeaky-clean reputation. It might include interesting user data like email addresses, usernames and passwords. While it might be modest, it has some traffic coming to it. And finally, it’s important to you.

Let’s look at some of the ways cybercriminals leverage your resources to make money.

One of the newest is cryptocurrency mining, which is a computationally intense process that puts your web server’s computing power to work on behalf of the attacker. Our security researchers have uncovered evidence of hacks yielding almost $100,000 in just a few days.

Hosting phishing pages remains a popular way to leverage a hacked website. A phishing page is one that attempts to fool you into sharing sensitive information, like your password, credit card number or social security number. An example of a phishing page is a fake login page that gives you the impression you are on an online banking login screen. You enter your credentials and the attacker logs them and can now sign into your real online banking account and steal data.

Because your site has a clean reputation, when attackers host phishing pages on your site, services like Google Safe Browsing that would normally warn users about suspicious websites won’t know to alert visitors to the danger of the phishing page. Well, until the phishing pages are reported. Then, you may end up on a blacklist.

Another popular approach is hosting spam pages and injecting spammy links. Your site is legitimate, so search engines like Google assume that your content, including outbound links, is also legitimate. Attackers love to plant SEO spam in the form of pages and links on your site, boosting SEO rankings for their malicious businesses. It’s important to remember that while your site alone isn’t capable of boosting an attacker’s SEO results, thousands of compromised sites can really move the needle.

Our Security Services Team finds hacked websites being used to send spam email all the time. Getting spam email past spam filters is a difficult endeavor. Email clients use myriad techniques to identify and block spam. Almost all spam filters rely on IP blacklists to block everything from IPs known to send spam. That’s where your web server comes in. Not only does your server have all of the hardware and software spammers need, but the reputation of your IP is likely perfect. By sending spam from your web server, cybercriminals have a much better chance of getting their spam delivered.

Eventually, spam filters pick up on what is happening and blacklist your IP as well, so the attacker simply moves on to the next victim, leaving the reputation of your IP address in ruins.

Sometimes attackers will compromised WordPress sites to attack other WordPress sites. We saw hackers use this approach in the cryptocurrency mining attack we discovered recently, where an attacker was controlling a botnet made up of thousands of other people’s WordPress sites that were simultaneously mining for cryptocurrency and attacking other websites. Your website is an attractive attack platform because your IP address is likely not on any blacklists.

Another very common thing attackers do with hacked websites is add redirects to their content. Visitors to your site don’t even have to click on a hyperlink to visit the spam site–the redirect will just take them there directly. In some cases, attackers will go so far as to redirect all of your traffic to malicious sites. But in most cases, they employ measures to avoid detection, only redirecting traffic to specific URLs or for specific browsers or device types or if the traffic is coming to the site from a search engine.

In the case of defacements, the attacker just wants to get their message out. By taking over your website, they are able reach your website visitors, at least until you figure out what they’ve done. Attacks of this nature often represent a political movement or are just looking for “street cred” in the hacker community.

One especially nefarious way attackers monetize hacked websites is to use them to spread malware. They install website malware that installs PC malware on your visitors’ computers or devices when they visit your site.

As a site owner, this is especially scary, as not only do you risk having your site flagged as malicious by search engines and other blacklists, but your visitors — potential customers and prospects — are not going to be happy with you. Your reputation, both online and with your site visitors, could be damaged for a long time. In addition, a hacked website can have a long-term negative impact on your search engine rankings.

Even if you don’t accept credit cards on your site, an attacker may still find valuable data to steal. For example, if you capture other data via forms on your site, there might be something there worth taking. Additionally, attackers can use stolen username and password pairs to try to log in to other sites.

We’ve learned over the years that websites almost always represent something that matters to people, even if it’s not a business site. Unfortunately, cybercriminals have come to this conclusion, too. Recently we wrote about a ransomware attack campaign targeting WordPress sites. While we haven’t seen much of this lately, we believe the threat of WordPress ransomware will continue and will increase in future.

Regardless of the size of your website audience or the cost of your hosting plan, criminals will happily find a way to monetize it if they can break in. Luckily, you don’t need to be a security expert to keep your site safe. With a little knowledge and Wordfence Premium, you’re armed with everything you need to stay a step ahead of attackers.

Mark Maunder – Wordfence Founder & CEO