I was working late on a client’s website a couple nights ago, when I closed out and rushed home so that I could make it in time for dinner. After an amazing dinner prepared by my wife, I pulled up my client’s website on my phone to make sure the responsive design was looking the way it should and somehow, in the time it took me to drive home and eat dinner, this happened:
I immediately went into red alert, abandoned my wife and children, ran upstairs to my computer and got to figuring out what had just happened. Only moments earlier I was on that site and everything was fine! How could this have happened?! Fricken hackers.
Well, luckily I was able to resolve the issue by removing and replacing the core WordPress files, followed by some extensive security measures to make sure this wouldn’t happen again. But who was this hacker, I ask? Why would they do this to me? What would they have to benefit from it? Don’t worry, they have a Facebook page. Fricken hackers.
Why Hack WordPress?
Since becoming the most used website CMS, WordPress has somewhat of a target on its back from people who are looking to reek havoc on the lives of innocent victims. I mean think about it, if you were wanting to affect as many websites as possible, and as quickly as possible, why not target a security breach that is found in millions of sites around the world? You’d get a much better response than trying to hit one or two websites at a time. Fricken hackers.
Luckily my sites that were affected weren’t high traffic sites that depended on visitors for revenue. Nor did this particular WordPress hack derive any real value for the hacker who did it. BUT, had they hacked a high traffic website, and had they placed, say, an ad or two on the hacked page, they may have been able to drum up a couple hundred bucks from some Pay-Per-Click revenue streams. Cha-ching! Let’s all be hackers! Not.
How to Avoid Having Your WordPress Hacked
WordPress does a pretty good job at fixing security holes in the core files as soon as they become aware, but where the problem usually lies is in your themes and plugins. There is no formal review process for the themes or plugins that are installed on your site. This means that if a developer misses a semicolon or forgets to dot an “I” and you upload his code? BAM, you have a glitch in the Matrix and you are exposed. If you have installed a free theme that has been installed thousands and thousands of times on thousands and thousands of websites, using the example above, then those fricken hackers are going to hit your site because they can take out a gazillion of you at once, versus a totally custom theme that was only used… Once. See the mentality yet? Fricken hackers.
Same goes for plugins. Be careful what you install. WordPress hackers are trying to break in however they can, and once they’re in, it can be really hard to get them out. WPEngine does a pretty good job at keeping crappy plugins off their hosting environment, so they made a list of disallowed plugins. If it’s not good enough for them, it’s probably not good enough for anyone, right?
At the end of the day, there will ALWAYS be the potential of your WordPress site getting hacked no matter what host, or theme, or plugin, or shampoo you’re using. But hopefully you can limit your hacking exposure at least to some degree. So how do you hack a WordPress site? I dunno. Don’t do it.