Hacking WordPress for Fun and Profit, Part 1
Over 30% of the world's websites are currently built with the WordPress. From complex e-commerce sites to small personal blogs – all are targets for hackers.
Part One: Why cybercriminals target WordPress
ImmuniWeb® WebScan statistics reveals that among almost 30 millions of tested websites at least 54% run WordPress. In the meanwhile, Sucuri says that WordPress infections rose from 74% in 2016 Q3 to 83% in 2017.
WordPress infections rose from 74% in 2016 Q3 to 83% in 2017.
In Part One of this two-part series on attacking WordPress, we will examine why cybercriminals attack sites of all sizes. Once site owners realize that they are a target, they will be able to take steps to protect their own site and prevent it from being used against others. Part Two will examine the methods cybercriminals use to attack WordPress, and the steps site owners can take to protect themselves.
To steal users’ personal information
Personal data is always valuable. Email addresses can be used for spam, spear phishing and other types of consumer fraud. User IDs and passwords are collected and used in credential stuffing attacks on other websites where users might employ the same passwords. All and any personal data can be collected, collated with other data stolen elsewhere to build personal profiles, and used for identity theft or targeted spear-phishing attacks.
A particular target is the credentials of celebrities who may use a WordPress ecommerce site. Since people often re-use the same password, these may provide the criminal with access to the celebrity’s personal social media accounts.
Large WordPress sites can store vast numbers of subscribers’ details; but even small personal sites will hold the credentials of the few who operate it.
In May 2017, cyber criminals exploited a deserialization flaw in the Struts component of the Apache web server used by Equifax, leading to the theft of personal information of nearly 150 million people. Apache is the most widely used server on the internet. Even if Equifax did not use WordPress in this instance, Apache underlies a huge number of WordPress installations.
To hide malicious links (on-page or in comments)
Compromised blogs can be used for malicious links, either inserted into the blog’s copy or as user-added comments on the blog pages. These links can direct unsuspecting visitors to malicious sites for phishing and malware downloads. In the worst cases, they can be part of stored XSS attacks.
The presence of malicious links will lead to search engine blacklisting, and loss of traffic.
To store and distribute malware
A compromised WordPress site can be used to distribute malware directly to visitors. This could mean that every person visiting your site is at risk of an automatic malware download. This is usually flagged by Google, harming your website’s SEO significantly, and damaging your reputation.
This is the basis of the ‘watering hole’ and ‘drive by downloading’ attacks. In the former, the compromised site simply waits for visitors – who may well be business partners and associates. If your site offers a niche service, users operating in the same field will be naturally drawn to it. In the latter attack, visitors may be guided to the compromised site by spam or phishing emails.
For traffic theft
Compromised sites can be used for traffic theft. Around June 2018, an unusually sophisticated piece of malware known as Baba Yaga emerged. Baba Yaga automatically generates nonsensical – but SEO keyword-laden – content for the WordPress blog. Visitors to these posts are redirected to the attacker’s commercial website, generating traffic and income.
Hiding nefarious content
Compromised WordPress sites have been used to hide pornographic material. Once compromised, orphan pages are created to house the material. These pages have no incoming links and can remain invisible to the site owner. They can only be accessed by people who know the specific page URL.
Political activists (hacktivists) – and even wannabee hackers looking to build reputation – seek to compromise WordPress sites to promote their own agenda. The idea is to replace the home page, partially or totally, with their own message. While a site relevant to their cause is preferred, frankly, any site will do.
WordPress and DDoS attacks
WordPress is susceptible to DDoS, has been used to concentrate DDoS attacks, and has been used to launch DDoS attacks.
Small blogs are often hosted on minimal provider contracts. A particularly invidious DDoS attack against that site will send repeated requests to known PHP files (often with a legitimate page URL appended). This rapidly uses the contracted bandwidth and the site hangs until the bandwidth is renewed. There is no easy solution to this type of attack other than an external WAF – which may not be available for a low-cost contract on a shared server.
This attack is often pure spite. There is no immediate benefit to the attacker (small personal blogs can rarely be extorted). The attacker could be someone you offended, or a script kiddie doing it simply because he (or she) can.
The xmlrpc.php file has been used to concentrate DDoS attacks by the reflection method. In this case the site is not the target. Its PHP file sends a ping response to sites that ping it. This can be spoofed, so the ping response goes to the DDoS target. When this is done repetitively by thousands or tens of thousands of WordPress sites pinging back to the one target, it can be a very effective DDoS method.
It is important to note that this doesn’t require WordPress to be compromised. All the attacker initially needs is the site location.
WordPress has been reducing the size and functionality of xmlrpc.php to mitigate against the process and may well remove it altogether at some stage.
Compromised WordPress sites can also be co-opted into a WordPress botnet directly delivering DDoS attacks against the bot master’s target.
Quite simply, no blog is too small, new or unpopular to be a valuable target in some way. Ilia Kolochenko, CEO of High-Tech Bridge, comments: “WordPress is the most popular CMS in the world, and if properly configured and maintained - it is quite secure compared to other systems. However, many WordPress installations are not updated for months or even years, let alone plugins that contain a great wealth of unreported and thus unpatchable vulnerabilities allowing takeover of the website in less than a minute.
“Many WordPress installations are not updated for months or even years, let alone plugins that contain a great wealth of unreported and thus unpatchable vulnerabilities allowing takeover of the website in less than a minute.”
The advantage for the attackers is that attacks against WordPress can be easily automated and run on a large scale. We will likely see a steady growth of such attacks: vulnerable WordPress installations and profitability of miners is an explosive cocktail.”
In Part Two of this series, we will examine the different methods used by attackers to compromise WordPress sites, and what site owners can do to keep themselves safe. Failure to do so will lead to loss of visitors through your site being blacklisted by the search engines, and actual harm to visitors and other sites.