Developers August 14, 2020

WP Website Get Hacked. How to Avoid it Happening Again.

Dinesh Thakur @Dinesht

Got this message today morning.

Google has detected that some of your webpages have been hacked by a third party who may have created spammy or malicious content on your site. Hacked: URL injection.

Can anyone here please tell me what reason the WP website gets hacked, is it due to buggy code on the website or easy password to crack?

And how to avoid websites get hacked. Any tools or plugin recommendation to avoid it.

And is there a way that can make sure 100% that website will not get hacked.

Any feedback will be much appreciated

  1. 6

    URL injection

    This is one of the top 10 common code bugs for years, programmers (more common in some languages like php, which wordpress is built on, due to how things like libs are structured...) make the easiest code they can that relates to DB. Which is connect strings. And have no input validation.
    So the URL of the site (simplifying a bit), is used in place of letting a parameter be page=5, I write page=5; **do anything I want**
    And I have 100% control of the database, which I would use to escalate further.
    (anything I want means I can extract data and modify data)
    Basically you would need to check every parameter in your site for this as a security check, you can do on a parameter "=;select * from users" lets say, if that works, it's vulnerable to that exploit.

    https://www.toptal.com/security/10-most-common-web-security-vulnerabilities
    Common Web Security Mistake #1: Injection flaws

    As a developer I think we as an industry are failing big time to allow these things to still exists and not do safe by default stuff..
    If my little project takes off, I might be able to do some mass solving of that in the future 🤷

    And is there a way that can make sure 100% that website will not get hacked.

    not really
    The less interactive a website is the easier it would be, like read only website would be easier to secure, to that extend there are methods of using wordpress for example to generate a static html page which is what you put public facing. (so you hide/secure the more vulnerable parts like the DB admin totally from users)

    As others said, the common issues with WordPress hacks are low quality plugins installed... and not updating...

    There are security scanners and such or protection middle layers... maybe cloudflare helps with filtering out these easier issues, not sure..

    1. 1

      Thank you. How if we use the website in plain HTML and don't use WP. In that case, hackers can do the URL injection stuff.

      I checked this video https://www.youtube.com/watch?v=iOWTTt9r1FM and here this guy gives one script which will prevent URL injection. Can you please provide your feedback is it effective or not.

      1. 2

        Notice that file is only for Apache webservers, you need to know what your running Apache, nginx or something else.

        SQL injection is just 1 security issue type, while probably the most common. If you have unprofessional extensions your likely to get other issues as well.

        1. 1

          Ok, thank you. understood your point here

  2. 3

    There is no such a thing 100% secure.

    You can improve it by plugins like Sucuri, someone already mentioned using Cloudflare.
    Keeping your plugins and CMS up to date is the main priority having a good password is a must.

    However these kind of attacks are usually not targeted, so you can follow "hacker's" steps and attack yourself regularly to see if anything new pops up.

    WPScan, SearchSploit, Expliot-DB

    Well, WordPress is like a playground for who wants to becoma a hacker :) So avoiding it also keep you in a more secure position.

    1. 1

      Agree here, WP looks so weak that a beginner level hacker can hack it

  3. 3

    After more than a decade of using WordPress, although my WP sites never been hacked I have given up on WP for good for the following reasons -

    • The effort (time+money) to prevent WP site getting hacked - security plugins, practices, auditing plugins, extra resources for security etc. became capitally-inefficient.
    • The security architecture for WP involves the use of same plugin system which causes the security vulnerabilities in the first place. The plugin developer can sell it to a malicious player anytime they want. WP hasn't really focussed on improving the state of security for the platform even after collaborating with Google.
    • Site optimisation costs became capitally-inefficient.
    • Random database errors became unacceptable for a platform nearly two decades old.

    Then again, I understand why WP holds value especially for those who are not web developers themselves and are hosting their site for the first time. But, this is leading to army of vulnerable websites on the Internet.

    This is my suggestion for anyone new to hosting a website,

    For simple websites - Choose a static builder or 3rd party website builder to build/host your website. Further static webpages gain from page rank for being extraordinarily fast from the onset(If you don't bloat it with JS).

    For complex websites - Build a web app taking advantages of newer utility friendly programming languages like Go Lang.

    1. 2

      Thank you for all the valuable points. I agree here, year by year WP is becoming paradise for hackers. It seems like hackers don't need to put any great efforts to hack the website as well.

      It seems like WP doesn't care much about security concerns and that's the biggest reason any 2nd or 3rd tier hacker is able to hack the WP website easily.

      1. 2

        Not necessarily, all they need to do is use a widely available tool which runs non-targeted scans over wide range of IP addresses for known vulnerabilities and uses dictionary attacks against weak passwords.

        Anyways, I feel I didn't answer your original question properly -

        How to Avoid it Happening Again

        In case you have run WP(against aforementioned recommendation),
        Use trusted themes, plugins published by those who have a track record of patching vulnerabilities faster and making it known via their release notes.
        • Use 2FA, says without going - Very Strong Password(Don't come up with one, use reputed password generator).
        •Use endpoint firewall and malware scanner.
        • Use automatic WordPress and plugin updater (Beware of possible database and other errors after updates, especially if you use cache/minifcation plugins)
        •Backup every day.
        •Use a host which keeps their side of the things up to date incl. but not limited to PHP, mail server/client etc.

      2. 1

        So do some webhosts, I got one node hacked in 3-5 minutes from provisioning before I even ever connected to it cause they used silly passwords, only took him 3 attempts and I didn't know until days later

        1. 1

          Wow, I don't think any host would be so dumb to use same passwords for their provisions; So I presume they used weak password generator or their pseudorandom generator was weak?

          Anyways, can you name the host so that we can stay a mile away?

          1. 1

            It was a long time ago can't recall at the moment.

            It was like manually installed or something and used a default password from somewhere..

  4. 3

    best cure is not to use WP at all 🤭

    1. 1

      I confirm. It's so popular and so messy (code-wise), it's the first target of hackers.

      1. 1

        exactly. Also very slow the more plugins you install.
        And sometimes you can't remove them because you can't do website without them. That's why my customer doesn't regret writing online shop from scratch in CakePHP instead. Works great and so much faster.

  5. 3

    Some WP best practices:

    • Only install plugins you need. Every plugin you install is extra code with potential security holes in it. Uninstall plugins you don't need.
    • Keep your WP and all plugins up-to-date. Security flaws are being found out all the time and there are automated tools hackers will use to find the version of wordpress you are using and try known exploits.
    • Have a secure, strong password. This is for everything but don't give your password out to anyone and have a strong password
    • If you have other users using your WP, only give them the permissions they require. Give each person a unique account and only the required permissions. If their account gets hacked you can lock it down quickly.
    • Serve over HTTPS. If you're serving over HTTP (especially the WP-admin page) then usernames and passwords will be sent in plaintext. An opportunistic cracker/bot can read them and use the credentials maliciously.
    • Keep your web server up to date. I don't know the specifics of your wordpress setup but if you are running it yourself make sure the operating system, web server and other software are routinely updated.
    • Firewalls in place. If you are running your own server you probably only need a handful of ports open (HTTP/HTTPS for wordpress; maybe SSH/FTP depending on what you are doing). Everything that should not be exposed to the internet should be behind a firewall.

    Unfortunately these things happen so the bonus point is:

    • Keep logs and backups. If/when you get hacked (either you notice or ideally you have some monitoring set up) you can quickly restore from the backups. Use the logs to try and find out where the error came from and rectify it (making sure your backup does not contain any malicious script)
    1. 1

      Thank you all tips, looks like if we miss any one of these there are chances website get hacked. Never image website security will be such painful task especially someone who comes from no coding background.

      1. 3

        Yeah web security is a job in itself. Without any knowledge it is very easy to have security holes in your application

  6. 2

    Hey Dinesh, sorry to hear about the hack.

    A friend from Twitter pointed me here to this thread because they thought I could add value (I'm founder of a web security company). Finally, I made an Indiehackers account after being a passive reader :)

    Looks like almost all the best practices has been covered below by the community. In WP, it's usually one of the plugins at work - sometimes with a known exploit and sometimes a 0-day.

    That said, if you are looking for some basic WP security practices which are often ignored/not known to get implemented on your WP - please feel free to use a free WP plugin by us, it goes by the name of 'WP-hardening'.

    If you would like, happy to send across our firewall and malware scanner solution for your WP to keep it protected in real going forward.

    Cheers,
    Shikhil

    1. 1

      sure, I'll check out and give a try to WP-hardening.

  7. 2

    You have NO IDEA how many attempts at poking around my websites are performed each day by bots assuming I have wordpress (I have Rails, in fact) — it's crazy, so many plugin calls, poking around PHP config, trying to trip the server with some malformed UTF payloads. I would be VERY afraid to self-host Wordpress these days.

    1. 1

      Its current state of WP in context to hacking attempts. And I think hacking attempts are directly proportional to the popularity/traffic of the website as well.

  8. 2

    Could be any third party plugin. I spent years making WP sites. I just made my first Gatsby site. Was a wonderful experience, you still have great plugins and themes and because Gatsby is a static site generator, speed and security comes for free and hosting fees are practically nothing. If you are enough of a developer to do WP site I think you can also easily learn Gatsby. I can’t imagine I will ever use WordPress ever again.

    1. 1

      Thank you. The first time I heard about Gatsby, I think this is their website URL https://www.gatsbyjs.com/. Can you please what are some cons of Gatsby

      1. 2

        Because it’s static generated content, any user-generated content (even comments) needs a dynamic solution. If you want to make a login based site that would also be more work. You can hook it up to various CMS systems and constantly rebuild the site if need be. When a comment comes in, you confirm it and rebuild the page and redeploy it. So it’s suited to content that does not change moment to moment. I have seen people create e-commerce on top of Gatsby, but it might not be the best solution for dynamic sites like that (if you wanted to maintain stock counts etc). Also, because of those facts, the hosting/building/deploying setup might be more complicated. My personal site is set up in such a way that I just git commit either content as Markdown files or development/design changes and my CI/CD just takes care of the rest.

        1. 1

          Thank you for sharing these valuable insights.

  9. 2

    After maintaining many client WP sites for 10+ years now I setup WP like this:

    • install WP in subfolder so not root something like /public/secret_wp_location and lock access to that folder
    • then use generate static pages plugin , to generate static pages in root there are plenty of those just make your pick same even save directly to services like s3, netlify ....

    For most use cases this is fine if client requires forms to be passed I use static form providers , if they want comments I use services like Disqus or alike depending on requirements you are completely safe but you cant run shops woocomerce or social network, membership sites but for most use cases works perfectly

  10. 2

    I can't believe no one else has mentioned this yet, but add two-factor authentication to your WordPress admin, for example with this plugin that way only you with your device can log in.

    It's good to keep everything up to date for sure, but that won't help when people gain access to the admin. With 2fa, they're gonna need a code from your device to even be able to.

    1. 2

      With SQL injection no one needs to login to change your entire site, steal information, install backdoors, create or modify the admin including the 2fa or delete everything if one wishes..

      1. 1

        Quite a surprise and interesting

    2. 1

      Thank you, two factor authentication increase the security level. I’m going to use it

  11. 2

    When your CMS is used on the half on the internet, it will be hacked anyway. That's the same reason why all the viruses are on Windows, not on Mac or Linux.

    And yes, WP is not secure out of the box. It is good to have anti-spam and security tools like Wordfence, Akismet and use Recaptcha on forms. Also, it is good to be hosted on the top of Wordpress-focused platforms, like WPEngine.

    1. 1

      Linux is installed on way more nodes that windows, just saying.

      1. 1

        This is true, but speaking about desktops and non-technical users, Windows is a much better analogy :-)

        1. 1

          Right, non-technical users = easy to hack!

    2. 1

      I think now WP is hub for spammers and hackers. More time and effort you need to spend on website security. And need to use a good number of plugins for the same

  12. 2

    Before you do anything else, are you sure that's a legit message that comes from Google? Is it an email or do you see it somewhere in the Google tools?

    1. 1

      I got email from Google search console, same I checked and Google search console

  13. 1

    That's the primary reason why I prefer site builders or platforms like Squarespace and Blogger over WordPress. I have a team of highly skilled engineers working 24/7 to prevent and address any vulnerabilities, and fix issues if anything goes wrong. While I sleep.

  14. 1

    Don't use WP? :)

    Problem is if you install more plugins they can cause other issues like conflicts. So it's a trade off.

  15. 1

    I Highly Doubt that Google will inform you about this 😅

    1. 1

      Google does, if you have an account in Google search console

Recommended Posts