How Hackers Attack WordPress Websites?

Posted on July 3, 2013 by

WordPress is probably the most popular content management system on the planet. But like any software, it is by its very nature requires regular maintenances as well as new security patches and updates. WordPress has been available freely since 2004 and its development team has released many updates, needed to patch major and minor security holes. Unfortunately, some websites powered with WordPress are still being hacked as new security holes are discovered.

So what make WordPress websites susceptible to malicious codes? Mostly, the causes are old WordPress versions along with third party plugins and themes with vulnerabilities in them. When we throw in the popularity of WordPress into the mix, sites based on this platform do seem to be more vulnerable.

Users typically get nagging messages whenever new WordPress updates are released, so they are pretty much ignored. It’s quite rare to see WordPress affected by core vulnerabilities, but they do exist. Fortunately, the development team of WordPress is pretty good at delivering security patches efficiently and quickly. Thus far, the risk related to the exploitation of security hole is relatively minimal, provided that users keep their Worpress installation fully updated.

Again, the real problem is users who tend to ignore the update notification. And they are not just average or inexperienced users who barely know that updates are needed. A few years ago, Reuters’ website was hacked because it ran an older WordPress version.

Other issues are themes and plugins offered that are of varying quality. Inevitably, some website administrators use add-ons with security loopholes in them. In many cases, pirated plugins are injected with malicious codes and popular search engines are not too reliable in helping us finding fully secure WordPress themes.

Then we need to consider the significant popularity of WordPress and in a few years we will see one billion websites running the CMS. The popularity factor easily means that hackers who are able to break through one WordPress version may potentially have million of others in their playground. Hackers don’t hack websites with latest software versions, but instead they scan those with old, vulnerable WordPress versions and there are many million of those out there. WordPress is praised for its ease of use, but this could provide a false sense of security to developers and users alike. Risks associated with user-related issues include poor system administration, bad credential management, corner cutting methods and lack of web knowledge.

To remedy these issues, it often takes only a bit of education and time. Website administrators don’t have to reach the expert-level education, but at least they can ensure that all security requirements are fulfilled.

The nature of WordPress hacking changes as the Internet evolves. Back in the day, early hacking attempts were very different compared to what we see today. They were performed by real tech specialists who manipulated websites to do many things beyond the original intentions of core developers. Today, hacking attempts are mostly about financial gains. Malicious codes injected to WordPress installations could also be intended for fake downloads, spam distributions, DDoS attacks and identity thefts.

Hackers may use automation to achieve their goals. Bots can quickly generate hazardous payload and efficiently employ specific techniques to break through the security layers of WordPress-based websites. The Blackhole Exploit Kit is one of the more commonly used tools and hackers can actually purchase some of these kits online. A number of bad developers consider this a true enterprise as they can provide support and updates so these tools can keep exploiting newly discovered vulnerabilities on WordPress and other platforms.

Bad Redirects

WordPress websites infected with bad redirect attacks send their users to specific websites, sometimes with malicious intents. The destination sites occasionally contain malicious payloads, stored in seemingly benign files like stats.php. In other cases, redirection is aimed to improve traffic to the ads-filled destination websites.

As with other attacks associated with malicious code, it still comes down to user access. Bad redirects c an be triggered by backdoors and outdated WordPress installation versions. Fortunately, spotting bad redirect infections on a Worpress installation is easier and web administrators can start by checking the .htaccess file. On WordPress installations infected by bad redirects, there could be encoded malicious codes that reside in specific PHP files, such as index.php, footer.php and header.php.

Fortunately, free scanning tools like SiteCheck can easily detect bad redirects. It’s also a good idea to listen to feedback from users, in many cases; reports from users are early indications that bad redirect attacks have taken place. Sometimes, it happens differently between users, so web administrators should ask what web browser and OS are they using.

Web administrators can start cleaning their infected WordPress installation by opening the .htaccess file and compare it with a healthy backup. If possible, they should also check all .htaccess that reside on the same server.

Obviously, bad redirect attacks don’t only infect .htaccess file and web administrators should also check for malicious redirect codes in header.php and index.php. It should be noted that the code can generate multiple .htaccess in numerous directories, making the cleaning process more difficult to do. Consequently, any attempt to remove infections may feel like an arduous uphill struggle as cleaning all infected files isn’t always enough. Web administrators should also check outside of the Web directory, as infected files are present right there as well.

An easy and quick way to repair the infection is by overwriting files with healthy backup and reducing permission. But this method won’t do us much good if the root access is already compromised.

Backdoor Attacks

With backdoor attacks, hackers can effectively gain access to websites using WP-Admin, SFTP, FTP and others. This method can be quite harmful as hackers often have the ability to wreak havoc on the server. Consequently, all websites hosted in the same server suffer cross-site contamination and compromised as well.

Backdoor attacks often happen on WordPress-based websites with security holes and outdated software version. One popular malicious code that opened a backdoor to WordPress-based websites was TimThumb. It was popular among web administrators for its ability to resize images, but it opened a new security hole that allowed hackers to upload dangerous payload. Like most malicious codes, backdoor attack packages can be concatenated, encrypted and encoded. They can be shaped to look like functional, legitimate code.

Backdoor attacks are meant to be stealthy and it is not easy to detect them. In a few cases, backdoor adds files with seemingly harmless names, such as php1.php and data.php. Others embed themselves in benign files, including index.php.

Backdoors constantly evolve and even security experts admit that they are tricky. But while they can be difficult to spot, web administrators can take steps to prevent backdoors from infiltrating. The most obvious prevention step is by closing accessible entry points. It is possible to make WordPress environment difficult to access by implementing two-factor authentication and blocking certain IP address.

Experienced WordPress users would agree that the /uploads/ directory is vulnerable because it is where external files reside. Web administrators can prevent the execution of PHP files from this directory by adding specific entries in the .htaccess file.

If a backdoor is discovered during a routine maintenance session, web administrators can delete an external file that contains the malicious code. There’s no perfect method to eradicate backdoors, but web administrators can implement ways to scour their servers for files loaded with backdoors. They can use DIFF command to find differences in sub-directories with backup image containing clean installation. Web administrators can quickly detect files that shouldn’t be there and system files with abnormal sizes.

Fake Download Attacks

Hackers aim to make local machines to download specific payloads by informing users that their computers or websites have been compromised by malicious codes. As the result, it will be easier to fool users that they need a specialized anti-virus product.

WordPress installations with compromised credentials and outdated software version are particularly vulnerable to this type of attack. In many cases, the infection only takes place when specific rules are met.

Web administrators can use scanners to know whether they are vulnerable and they are quite good as spotting link injections, it’s a good practice for administrators to use Google Webmaster Tools to verify their websites. Google typically blacklist compromised WordPress websites and it usually notifies administrators beforehand, before applying the backlist. This would give administrators the opportunity to fix issues and even free services can pay dividends, if used proactively.

Difficulties in identifying infections may depend on the complexities, but in many times infections happen in specific core and theme files. It’s a good idea to run an efficient anti-virus locally to detect each time payloads dropped onto their computers.

Cleaning infections caused by fake downloads can be difficult and it all depends on our technical skills. It is preferable to access the server through SSH. Web administrators can use GREP command to search infected files by adding specific characters to traverse all files directories.

It is important to find out whether link injections are also embedded in text widgets, pages and posts. In such cases, web administrators should scrub their database and make sure none of their and users’ accounts are compromised.

Pharma Hack

This is one of the more prevalent types of infection around and it should be categorized as spam instead of malware. Many web administrators fail to notice that their WordPress-based websites are distributing spam, causing them to run the risk of receiving the dreaded “This site may be compromised” flag in Google’s SERP. Fortunately, spam injections through pharma hack methods are successful only when specific rules are met.

Like other spam attacks, pharma hacks are also about seeking financial gains and controlling web traffic. Hackers can make a significant amount of money through impressions and clickthroughs. But it’s possible for hackers to use this method to redirect users to specific sites that contain additional infections, such as malware and fake downloads.

Originally, pharma hacks are used by hackers to represent themselves as legitimate pharmaceutical companies, to help them offer products like Viagra and Cialis. Methods used have evolved significantly and it is more difficult for users to detect them. A few years ago, symptoms of spam injections were easily seen on the webpages. It was easy for web administrators to find and remove them. Things have been quite difficult recently as injection attempts are combined with backdoors. With some amount of evil ingenuity, hackers can detect specific factors, such as where traffic is typically coming from. Pharma hack can even manipulate search engine bots, to make them rank higher result pages. This would provide them huge monetary return and maximum exposure.

Another common variant of pharma hack attacks is by altering the destination URLs of apparently harmless links on the webpage footer, such as Contact, About and Privacy Policy. , When clicked, users will find themselves in pages that may contain specific evil intentions.

Pharma hack infections can be difficult to identify and it’s no longer enough to scrutinize all pages, posts, links and ads. Today’s attack methods are more advanced and typically more difficult to find. However, web administrators who act proactively will find themselves in better positions. They should enable some kind of file monitoring or auditing on their websites to see whether files have been changes or new ones are added. By far, this is a very effective method of detecting infections. Administrators can use free scanning tools like SiteCheck. However, many HTTP scanners are struggling with this hack, because technically most pharma hack attempts use non-malicious techniques.

Before removing pharma hack infections, web administrators should identify them first. They can use specific commands via the terminal, like GREP, to perform queries and see whether they have been infected.

Unfortunately, GREP method only applies when the malicious code isn’t concatenated, encrypted and encoded. Another effective method is by using different referrers and agents when accessing the website.

Preventing pharma hacks can be difficult and fully updated WordPress installation doesn’t guarantee infections. Websites with outdated WordPress version located in the same server may contaminate others. It is also exceptionally difficult to defend ourselves against pharma hack attacks, if infected files are located at outside of website directory.


These are likely ways malicious code could attack WordPress installations. With this piece of information, web administrators can feel more confident when their websites is hacked by one of these methods.

Overall, administrators should keep their WordPress installation updated and avoid using servers with inadequate security measures. If possible they should use different installations for development, staging and final publication. It is necessary to have secure access to servers using SSH and SFTP. Healthy backup of the WordPress installation is necessary and in many cases, restoring backup is the only way to get rid of malicious code infestation. Web administrators can harden their web directories by forbidding PHP execution on nearly all sub-directories. But unfortunately, many WordPress-based websites still maintain generic accounts, which are considered a significant security hole.

It’s important to limit usages of the administrator account and write posts only with editor accounts. Other ways to secure access to WordPress installations is by removing unnecessary credentials, implementing two-factor authentication and enabling IP filtering.

Author :

  • Editor