Jak dochodzi do włamania na WordPressa?
Kamil Porembiński
Kamil Porembiński
03.01.2019

How do you hack into WordPress?

When creating the WordPress security compendium, we checked thousands of accounts to find out how often a break-in occurs. Is this due to weak passwords? Or maybe poorly configured servers in a hosting company? Let’s find out!

Reasons for hacking the website

When it comes to breaking the security measures, apart from blaming everyone in the circle, many victims wonder why it was done at all.

Why did somebody even break into my website? I don’t have anything there!

The owner of a shop with two types of screws.

Website defacement

Very often, many cybercriminals simply want to destroy a website, change its content and leave information about the break-in and who did it.

A group of hackers (black hat) operating in the second half of the 1990s in Poland
A group of hackers (black hat) operating in the second half of the 1990s in Poland

Burglaries most often occur for political reasons, for example, in the fight against laws and regulations such as ACTA. The reason may also be a change in the prices of services provided by a given company, e.g. a change of NASK’s website for increasing the prices of Internet access.

Website owners learn about a break-in quite quickly and try to restore the website to working order and protect it.

Stealing information

At first glance it seems that we have a small blog and we do not have any valuable data for attackers. And yet! Database of e‑mails from the newsletter, e‑mails from comments under the posts. Or maybe we have a small online shop. Here you will find more valuable information.

Attacks related to information theft or data leakage are not immediately visible. Attackers depend on accessing data and hiding their presence on the site. Thanks to this, they have constant access to valuable knowledge and data.

An example of such a break-in is a leakage of e‑mails and passwords from the Morele.net store.

Script kiddie

Kiddie Script using ready-to-use software will attack all over the place as long as it’s a break-in. Your website may therefore be attacked from yes, quite accidentally.

Script kiddie ;-)
Script kiddie ;-)

Using ready-made tools, where it is often enough to enter a web address, they attack with whatever they want. With a large number of attempts in conjunction with the mess on the server, they manage to make a change of the page.

How does WordPress get hacked?

To see how the hacking happened, we analyzed more than 5000 infected WordPress-based pages. The list of pages to be checked came from companies cooperating with us and from customers who asked for help.

It is not surprising that the lack of updates and the rubbish dump on the server and website are the most important reasons for the break-in.

In recent years, hacking into the website is mainly aimed at inserting malware which:

– creates a redirection to another page

– creates hundreds of thousands of pages with fake content

– adds hidden backlinks in the page code

– excavators cryptovalute

Cryptovalut excavators are currently blocked by browsers, others are still used on a large scale in Hat Seo metal sheet techniques. The main reasons for the attack are the lack of updates on the website – punctured plugins, often downloaded from the left source. There are also hosts where an infection of one page means an infection of all the pages on the account. Last year my client was an agency that had 92 clients on one account – a break-in on one of the websites (paradoxically joomli) resulted in the installation of webshella and infection over 140 pages.
Translated with www.DeepL.com/Translator

Krzysztof Radzikowski, radzikow.ski.

Another such group of reasons are obvious security holes in the software. These are mainly security vulnerabilities in all kinds of plugins and WordPress themes. Such examples are errors in the GDPR Compliance or Duplicator plug-ins.

Infections that we have to deal with have a diverse character and each must be approached individually. The most common causes of infections are:

– installing infected plugins from unproven sources,
long-outdated WordPress core and plug-ins – this is 99% of the problems we encounter

– poorly protected or configured server

– other services running on the same server
When removing an infection, it is very important not only to remove the malicious code, but also to find the source of the problem. It happens that there are several sources on one page of these sources.

Piotr Całka – CEO Inspire Labs i SiteCare – profesjonalne wsparcie stron WordPress i sklepów WooCommerce

At the very end of the reason for the break-in, we can put such things as poor hosting password, server configuration errors or other. Practically all attacks on WordPress are careless for users who forget to update their software.

An example from life

One of the client’s sites sends out a lot of SPAM, which was reported to us by our server monitoring system. A quick analysis showed that the files of one of the themes uploaded to WordPress are responsible for this.

./wp-content/themes/gaukingo/template-parts/media-views-rtl.php
./wp-content/themes/gaukingo/dbv.php

As you can easily see, the files are located in the directory with the gaukingo theme. After checking the software version, everything quickly became clear.

+-----------------+----------+-----------+---------+
| name            | status   | update    | version |
+-----------------+----------+-----------+---------+
| gaukingo        | inactive | available | 1.0.3   | <- deactivated and outdated version
| twentyfifteen   | inactive | available | 1.9     |
| twentyseventeen | inactive | available | 1.4     |
| twentysixteen   | inactive | available | 1.4     |
+-----------------+----------+-----------+---------+

As you can see, the website is a mess. The same is true for plug-ins. WordPress has a lot of disabled plugins that should be removed. One of them was GDPR Compliance.

The solution to the problem in this case was to restore uninfected files from the backup, which we keep for hosting up to 30 days back, and then clean up and update WordPress by the client.

That’s where the question arises. Why did the server security measures (malware scanner and antivirus) not detect infections in these two files? The answer is quite simple. The attacker uploaded his quite simple PHP code, which sent e‑mails. It wasn’t any known malware – that’s why scanners didn’t find it suspicious to modify the file.

Relying only on server security or anti-exploit scanners can put you at risk, so you need to keep your software clean and up to date.