Nick Wolfe, WordPress 2020 presenter, covers hacking and how to prevent it.
WordCamp 2020 present, Nick Wolfe, Certified Ethical Hacker and licensed Minnesota attorney, went over how hackers mess with your site and how you help prevent being hacked. After a number of questions about what an ethical hacker is (as well as how you become certified as such and who does the certification), Nick explained why hackers bother.
There are a number of goals hackers have when breaking into your site. As you think of these, always keep in mind that in general, it’s not personal. The hacker is most likely not targeting you specifically. WordPress is often a target because it is the content management system with the largest market share. It’s a big target to aim for! As I type this, there is a known bug in a popular plugin which is being exploited by hackers.
Here are some of the common goals hackers have when trying to break into your site:
- Deface the site
Occasionally, all they want to do is leave their mark on your site. At best this can be a “I was here” message — at worst it can break your site and prevent it from being displayed at all, or can display inappropriate/offensive content.
- Send spam email
After gaining access to your site, the hacker will upload or embed code that will then use your site’s resources to send spam messages. This will consume resources, slowing your site down. This may also get the email address used by your site blacklisted, interfering with delivery of legitimate messages.
- Search Engine (SEO) spam
Once the hacker has access to your site files, they may simply add links to a site they want to promote, with the goal of improving their own site’s position in search engines. Unfortunately, this could also negatively impact the search engine performance of your own site.
- Malicious redirect
With this goal, hackers will add code to your site that will redirect traffic away from your site to an external site. If this goes unnoticed, you will lose traffic to your site…and possibly some business.
Don’t be discouraged, though — there are some basic things you can do to protect your site (and your sanity):
- Keep WordPress updated!
Updates to WordPress are constantly being made, and WordPress has an enormous community of developers working to fix and improve the platform. It won’t help if you don’t keep it updated, though.
- Be careful what you click
If you see a link on your site that looks out of place, don’t click on it! By clicking on the link, you may trigger code that can allow a hacker to gain access to your site. An example was demonstrated during the presentation where a single click created a new user with administrative privileges on the WordPress site. A user with this level of access could wreak havoc on your site.
- Turn off cross-frame options
Frames can allow an external page to be embedded within your own content, allowing malicious code to run. You can change settings to prevent this from happening.
- Install web app firewall
A firewall is a part of a computer system that is designed to block unauthorized access to the system, while still allowing authorized communication. There are a variety of plugins available that will add a firewall to WordPress, such as WordFence and Sucuri Security. Both of these plugins have free and paid versions available. These plugins will proactively protect your site from attacks and can also alert you of security issues with your site.
If you want to learn more about how to prevent hacking or talk to our web experts, send us your questions.
Want more WordCamp 2020 insights? Here’s some further reading.