Most Common WordPress Attacks in 2020
It’s a widely known fact that WordPress dominates the Content Management System scene. The amount of websites that run on WordPress far outnumber those of its competition, totalling to about a third of all known sites.
That kind of ubiquity, of course, comes with severe exposure to cyber threats. WordPress is, unfortunately, the undisputed winner in terms of hacking, too. DataProt’s research into WordPress reveals that a whopping 90% of WP users request malware cleanups (while only 4% of Joomla or Magento users do).
It’s clear, then, that WordPress takes the lion’s share of the cyber danger. But what kinds of attacks on its websites are the most common? Knowing more about the most utilized types of cyber attacks can help WP website owners prepare for them.
To that end, let’s take a look at the most common WordPress attacks in 2020, as well as how to guard yourself against them.
1. Cross-Site Scripting
Cross-site scripting (XSS for short) is an injecting attack wherein the hacker inserts a malicious piece of code into a website. They usually manage to do this through an application that requires the user’s input to produce its output.
Once that nefarious piece of code creeps into the website, it can be used in a number of ways. The hacker may take session cookies and impersonate a user, access API’s that connect to other applications, spread worms, and more. That said, it’s most commonly leveraged to redirect people to websites where the hacker can snatch their data.
Protection against an XSS incursion varies depending on your circumstances. Here are a few suggestions for you to consider:
- Whitelist values so that attackers have a harder time inserting harmful code (for example, don’t let people type in their date of birth; have them choose from a drop-down list).
- Use an HTML sanitization library to block hackers from injecting scripts in their HTML submissions.
2. SQL Injecting
Much like an XSS attack, SQL injecting involves the insertion of a malicious code string into a website. The attacker does so by cramming structured language queries into cookies, forums, HTTP headers, or other web input pages.
The difference between the two lies in utility. XSS finds its purpose in sending unwitting users to malicious websites. Meanwhile, an SQL strike will tend to aim for the targeted website’s database, allowing modification and unauthorized access to data.
Beyond sanitizing input, one of the best precautions against SQL injection is to insist on prepared statements in your code. These strings set parameters for the user’s query before executing it so that it denies any unwanted input.
3. URL Hacking
A URL hack works on more or less the same principles as an SQL or XSS injection. Here, the hacker can relay a malicious piece of code through the URL bar. They can thus reveal sensitive data and edit the code.
From there, the attacker may opt for many different ways to damage your site. For instance, they could create a redirect that leads to one of their websites. Maybe they would insert malware into your website or reveal sensitive info.
Logically, the remedy for this threat is in the same vein as the previous two. Sanitizing (AKA escaping) user input and relying on parameterized statements will go a long way to ensuring that attackers can’t pull off a successful URL hack.
4. Brute Force Attack
For hackers striving to find your username and password, brute force attacks are a fairly handy tool. It’s a pretty straightforward idea: simply guess the correct string or phrase through trial and error until you get it right.
As you can expect, this method takes thousands of attempts to pay dividends. It’s like trying to guess a word someone’s thinking of by going through every single word that exists. Naturally, hackers use computer programs to make this process much faster, but it still takes plenty of time, sometimes years, even.
Despite the needed effort, brute force attacks are nevertheless a very real threat. Luckily, there are practical steps you can take to stop this kind of attack dead in its tracks. Here’s some useful advice:
- Keep your passwords strong (long, with numbers, not just one word, not directly related to you).
- Take advantage of Captcha to catch bots attacking your website.
- Implement two-step authentication that demands human responses (like one-time passwords sent to phones).
- Limit the number of login attempts so that bots can’t keep guessing your login details.
5. DDoS Attack
A very common cybercrime tactic, a DDoS (Distributed Denial of Service) attack serves to put your website out of working order. The plan is to send so much traffic your way that your site can’t deal with all the requests it’s getting, effectively shutting it down.
The attacker employs a (sometimes massive) group of malware-carrying computers (dubbed a botnet) to accomplish this. They may carry out the attack for a variety of reasons, ranging from financial gain to simple bragging rights. However, a DDoS invasion tends to come hand-in-hand with other forms of attack, usually serving as a distraction while the real operation takes place.
DDoS attacks are preventable with the proper security measures. A content delivery network (CDN), for one, can spread traffic across a multitude of servers. There’s also the intrusion prevention system (IPS) or web application firewall (WAF) that monitor incoming traffic and look for anomalies indicative of a DDoS operation.
Malware is a sort of umbrella term that describes a diverse sort of software. What they all have in common, though, is their purpose. Their general goals are to, in some way, disrupt, manipulate, or damage a database or system.
To these ends, hackers will utilize an array of worryingly creative programs and strategies. Trojans, worms, spyware, ransomware, adware - the list goes on, and this malware can do anything from spying on you to stealing your data or encrypting it and demanding money to give it back to you.
Given the broad scope of the danger, there are also plenty of ways to ward off the malware menace:
- Have a backup of your site.
- Periodically reset your passwords.
- Keep all plugins and software updated.
- Run routine virus scans.
7. Privilege Escalation Attack
Through a privilege escalation attack, a hacker will take any steps they can to accumulate the privileges they have on your website. Their objective is to gain access to as much information as they can, constantly trying to attain higher authorization. They may go about this by manipulating access tokens or bypassing user account control (UAC), for example.
Two types of privilege escalation attacks exist. Vertical focuses on gaining as much clearance possible, the higher the better. Horizontal, on the other hand, takes advantage of comparatively lower privilege levels spread across a number of accounts.
The problem with this kind of attack is that it can come from anywhere in your network (typically its weakest spot). The best way to ward off privilege hoarders is to constantly monitor your systems (MalCare would be helpful here). Deleting old plugins and themes will also wall off easier points of entry for hackers.
To sum up, these are the most common attacks plaguing WordPress users:
- Cross-site scripting
- SQL injecting
- URL hacking
- Brute force attack
- DDoS attack
- Privilege escalation attack
While there are certainly many of them to worry about, they are all preventable to a great degree. As long as you stay on top of the right prevention measures, you won’t have to worry about these attacks any time soon.