It’s hard for the average person to comprehend why anyone would break into their website. “I don’t have anything of value. Why would someone hack my site?”
I’ve heard that question several times in the past couple of weeks. There must be a lot of script kiddies with too much time on their hands as I’m seeing an increase lately in attempts to log in to sites I manage. I’ve also cleaned up several hacked sites in the past couple of weeks.
Two of the hacked sites were not on my Website Management Program and had fallen woefully out of date. There were plugins on those sites nearly a year out of date, not to mention WordPress versions at least that long out of date. These are disasters waiting to happen!
The third site we caught before any damage was done. The site is one of my Website Management Program clients. I was alerted within a few minutes that someone had logged in with administrative privileges using an account they had somehow created themselves. I quickly emailed my client asking if he was aware of the existence of this account.
While I waited for a response, I did some research on the account name. I found that the same account name had been used in other attacks that were reported on WordPress.org’s support forum. The logins came from a well known hosting company’s server so it’s difficult to tell if the breach was due to a security flaw in a plugin, or if the hosting company had a security hole allowing access to websites on their servers.
In any case, having found this, I quickly deleted the account and locked out the IP address from which the login originated. I then changed the admin passwords in WordPress for my client’s account and my own account. I also changed his hosting acccount password and the password for his WordPress database. His original password had been moderately strong, but not all that difficult to guess, so I changed it to a strong password until he could log in and come up with a strong password of his own.
Finally, I contacted the client and had him do a complete anti-virus scan using his usual anti-virus program and another called Malware Bytes. I’ve found Malware Bytes to be an excellent “second pair of eyes” to complement the usual anti-virus software found on most machines. Malware Bytes tends to catch things others don’t. No anti-virus catches everything, which is why I recommend periodically running Malware Bytes as a safety check in case the primary anti-virus misses something.
Once we were sure his machine was clean, I sent him his new passwords. He contacted his hosting company, which happened to be the same one from which the attack came, and arranged for them to scan his site regularly for malware. This is something a good hosting company should be doing anyway, but in the case of this host it’s an extra cost option, a big reason why I don’t recommend them.
In any case, once we had his site secured, my client asked “Why would anyone hack my site?” A perfectly legitimate question as his site doesn’t take credit cards or store any sensitive information, things you would think a hacker would be after.
The answer to that question ranges from “because they can” to “so they can use your site to spread malware” and everything in between. Some hackers just do it because they get a kick out of getting into something they’re not supposed to be in. Once in, they’ll leave some evidence that they were there, and move on to the next challenge. They tend to be more annoying than dangerous.
Others want to use your site as a repository for various malware, sometimes known as “drive-by” malware sites. One of the sites I cleaned up had been infected with malware and my client became aware of it because Google blacklisted her site. Those of you who use Google a lot, or use Google Chrome for browsing have seen the warning messages indicating that proceeding to a particular site is dangerous and could infect your machine with malware. Imagine going to your site and being confronted with that screen instead of your home page!
We were able to clean up her site and get Google to take it off the blacklist, a topic I’ll cover in another post. Her site is now up to date and being monitored for updates so that it will be kept up to date to hopefully avoid a future incident.
The moral of the story is to keep your WordPress site updated and backed up! Updates are posted for plugins on a fairly frequent basis as flaws are discovered and fixed. The same is true for WordPress itself, although updates to WordPress tend to be much less frequent. Even themes have potential vulnerabilities and need to be kept up to date.
As the saying goes “be careful out there!” Feel free to ask any questions and/or comment below.
Protected by WebARX
Jeannette Paladino says
January 8, 2013 at 3:48 pmVery good advice, as usual, John. I’ve noticed that I’m getting more fraudulent emails than ever from friends. Their emails have been hacked. Also, some of the “official” notices I’m receiving from supposedly reputable companies — like banks and PayPal — are so legitimate looking that you wouldn’t know they were fakes trying to pry your confidential information out of you. It’s gotten so that I no longer click on even the legitimate notices but go directly to their websites. The bad guys seem to be winning.
John says
January 9, 2013 at 10:01 pmHi, Jeannette,
I don’t know that the bad guys are winning, but it sure takes a lot of time and energy to deal with them. Security is a defensive battle so the bad guys have a slight advantage, but fortunately, the good guys are very quick to deal with anything new that comes up.
Technology is a two-edged sword in this regard. Automation works for the bad guys as well as the good guys so the volume of hack attempts goes up correspondingly with the increase in computer horsepower. The best we can do is not make it easy for them. The good news is that most of them look for known exploits and if they don’t find them, they move on.
As for phishing emails, you’re wise to avoid clicking links in any email from a financial institution or other organization that you access with a password. You’re right, they’re getting so it’s hard to tell the real ones from the fakes. One good rule, though, is to be suspicious of any such email that has a link in it and to go directly to the website, as you said, instead of clicking the link.
Thanks,
John