Our humble website is under nearly constant attack by hackers. Now, as much as I’d love to believe it’s because because we’re important and influential tastemakers, sadly that’s not the case (yet?). We’re actually not unique in this regard at all. Quite honestly, we don’t even have that much traffic.
So why are we under attack? Like 35% (!) of the entire internet, our site lives on WordPress.
And why does being on WordPress make us a target? Because it’s 35% of the internet! This ubiquity is why WordPress is the target of 90% of hacked CMS sites.
But why, you might ask, if our site doesn’t have have meaningful traffic or influence, why are they trying to break in?
Basically, they want to add us to a larger network of malware. When hackers get access to multiple WordPress sites, they use it for a number of nefarious purposes, specifically by co-opting it into a larger web of hacked sites that they’ll use for their end goal.
Here are 3 ways they might do this:
1. Black Hat SEO (Search Engine Optimization)
Search engines like Google use “relevance” as a factor in determining how sites are ranked within the search results of a given search. One of the methods they use to determine a site’s relevance is by seeing how many external websites sites link back to a given site. The thinking is that if many external sites link to given site, that site must be credible because people think it’s important/influential enough to warrant linking to. Black hat SEO providers will hack into your WordPress site and add a link to the site they are trying to promote. Search engines will count this as an inbound link and increase that sites’ relevancy score.
2. Ad Fraud
They might also inject ads into your site to increase impressions. They will inject a code snippet that contains an advertisement, maybe a banner ad or something similar. When someone visits your site, they will see this ad. Because ads are often charged to the advertiser on a cost-per-impression basis, each additional impression an ad gets can increase the revenue the attackers can make.
3. Force Redirect
The attackers can also use a code injection to force a page redirect. In short, they will add a different snippet of code that will actually force the user’s browser to actually follow a different url to a different website entirely. Anyone trying to visit your site will be automatically forwarded on to the attacker’s intended site. They might do this to boost traffic numbers on their site or to trick you into downloading malware, among other purposes.
So how can we fend off these attacks?
The easiest way it to prevent it is to decrease what’s known as your “Attack Surface.” The larger your surface, the more ways an attacker might potentially get into your WordPress site.
First, you should change your default login url. By default, WordPress uses yourdomain.com/wp-login.php as the login page. If you visit any WordPress site and add /wp-login.php you’ll be able to see the login page. From here, hackers can try and force their way in. By changing the login URL from the default to something harder you make the login page much harder to find, decreasing your “attack surface” and potentially dissuade hackers from trying. If, like us, your site doesn’t have any meaningful traffic or influence, they will likely determine it’s not worth the effort and move on to the next site. Here is how to do that.
You should also install a security plugin that locks out users after a few failed login attempts, which prevents what are called brute force attacks, which are what these hackers are likely using to gain access to your site. We use WordFence.
With these simple precautions you greatly lower your chances of intrusion and can hopefully avoid some of these headaches by making your site annoying enough that the attackers will move on.