3 Most Common Hacks
This post will take 4 minutes to read.
When it comes to our websites, we know security is a big deal. However, we don’t always know how the hackers will attack your site. Most attacks are very similar which allows us to see the most common approaches. By knowing what the hackers will most likely try, we can secure our site to prevent those attacks. So, here are the three most common hack techniques used when attacking WordPress sites.
Brute Force Attack
A brute force attack is one of the most common attacks on any site. In this attack, the hacker is guessing your password over and over until he figures out your password. Of course, the hacker is no longer doing this manually. He has several scripts running at the same time that is trying to figure out passwords to many sites at the same time. One form of the brute force attack is called a dictionary attack. This is where the hacker uses every word in a dictionary as the password. Since several of the most common passwords are single words, the dictionary attack is a quick attack to gain access to your site.
So, how do you protect your site from a brute force attack? The first step is to ensure your passwords are secure. I wrote a guide on doing this so be sure to read my post on securing your password. Next, you want to make sure the hacker can’t even find a userame to try. So, make sure there is no user with a common username such as admin, administrator, or developer. Most security plugins have many features in place to prevent a brute force attack. A common method is to prevent the amount of tries a user has to log in. If your password is not strong, the hacker’s script can usually figure out your password in 15,000 tries which takes less than a few seconds. So, if you limit the amount of guesses to 3 or 5, that stops the script from even being able to make its guesses.
SQL Injection Hacks
Lets assume that you have an unsecure search form on your site. A normal visitor can type in what they want to look for. Then the site will retrieve the data from the database and display the data to the user. Now, if a hacker was using the form, he would type in certain words and symbols that would change what data the site is retrieving. Instead of showing a list of posts, the hacker would make the form show him a list of posts and list of all usernames and passwords. This is sql injection. SQL Injection is when a hacker enters malicious words and characters into a form that is unsecure to exploit the database in some way. Depending on the site, a hacker could use sql injection to retrieve usernames and passwords, retrieve credit card numbers, alter data, or even delete data.
How do you protect your site against SQL Injection hacks? If you’re the developer, you would follow WordPress sanitizing, escaping, and validation functions and techniques. However, most people are not developers. So, we need to find quality plugins that we know are secure and do not install plugins from untrusted sources or developers. When installing a plugin, check the plugin’s reviews and support forums for any indication that it may not be secure.
Cross Site Scripting
Cross Site Scripting, or XSS for short, is when a hacker adds his malicious script to your site. For example, if the hacker finds a way to embed his tracking script into your theme, he will be able to track all of your websites visitors. This is a basic example of Cross Site Scripting. Another example that I have seen recently is when a website had a form where visitors could enter testimonials. The entered testimonials are then displayed across the entire website. The hacker entered in some malicious code into the form which then added his script to every page on the site. Now, every time a visitor visited the website, they were redirected to a different website claiming that their computer was now infected and they needed to pay $99 to fix it.
Protecting your site from Cross Site Scripting hacks is crucial to ensure no visitor can embed their scripts into your site. Again, always install plugins from trusted sources such as wordpress.org and from trusted developers.
Now that you know the basic concepts of the most common hacks, be sure to always discuss these with any plugin developer, theme developer, or any other developer that you have working on your site.
Has your site ever been hacked? Do you know how the hackers attacked your site? Be sure to comment below about the hacks that you have encountered so that we can all learn from them.