Posted by enetwal on Aug 24, 2013
WordPress Websites Are Vulnerable to Attack
If your business website has been built on a WordPress platform, (and a high percentage of small business sites are,) you could be vulnerable to a nasty downside to this otherwise excellent platform.
WordPress’ success is also it’s Achilles’s heel. It’s ease of use, flexibility and the tens of thousands of specialized plug ins that have been created for it, make it knowledgeable developers first choice for light to medium intensity web sites.
Its sheer popularity has made it the target of hackers, both those who hack for fun, and those who hack for profit. The bad news is that there are hacking software sites that make available bots capable of hacking wordpress sites for anywhere from $500 to 7000, and the typical high school hacker, can probably build their own for free.
What’s at Risk?
It depends on your site and the hacker.
In my case, when hackers found their way into one of my lesser developed blogs, I pretty much lost all the work I had done on it up until then.
But the real damage was done to my reputation online. In my case, the hackers were professional thieves who hacked into my site to access my webmail account.
Not only did they mail to my lists, they used the site to send out emails to thousands of people phishing for back accounts log in information for Bank America Accounts, JP Morgan and a bank in South Africa.
My email account got blacklisted, and I put people – I knew and customers at risk of having their bank accounts pilfered.
It also cost me a significant part of a day or two to deal with it. In my case, I asked my hosting provider to just delete several sections of one of my main sub-domains.
Anyone who went to my site prior to it being taken down saw what appeared to be Arabic propaganda, but as I couldn’t read the language I couldn’t really say. I felt violated, as well as inconvenienced. And guilty for allowing my lack of attention to security put my customers, clients and friends at risk
There are Multiple Security Issues
The problem is that there a handful of access points to break into your site. You are probably unaware of them, but the hackers know.
The simplest and most common access point is the WordPress admin login page.
While many people will create their own log in name and password, many fail to remove the default log in name when they add their preferred name. And many people just use it, “Admin.”
This leaves a site vulnerable to a systematic attack that needs only work through all possible passwords.
If you have a typical 8 digit password with only alpha numeric characters, a software program can systematically try each possible combination until they find the one that works, and then their are in, and everything you have on your site is subject to their whim.
These attacks are called brute force attacks, because its just a matter of time until they force their way into your site, if you are vulnerable.
The easiest prevention step is to not use the word “admin” as your sites user name, although this is the word WordPress prompts by default.
Once you have established another name as your Administrator, you need to go into the Users tab on your word press dashboard and remove “Admin” as an authorized user.
If you have previously published posts as Admin, you will need to transfer those posts to one of your new users names, before WordPress will allow you to delete “Admin” as a user.
How do you know if your business website is built on a wordpress platform?
The easiest way to determine if your website is built on a wordpress platform is the add the following code to the end of your url: /wp-admin
If your site is built on a wordpress platform you will see a wordpress login page appear:
Then, if you want to check to see if you are vulnerable to this most common of attacks, type in anything other than the word “admin” in the username box and anything you want in the password box. (Except your actual log in info.)
You will get a message like this:
Now try again, this time use the word “Admin” as the user name:
You will get a message like this:
The hacker, now knows one of the two things they need to know to start a brute force attack against your site. They have software that tries a few possible passwords and if they don’t work they come back later and try a few more.
This is to slide under some of the other sercurity protocalls, and make it less likely anyone will notice their attacks. Eventually, they will come up with the right password.
They are likely not targeting your or your business – they are just targeting all websites built on wordpress platforms where the admin password still is an authorized user.
But whether its a personal attack or “Just business” or “Just for Fun,” the risk and damage they can cause to you and your site are just as upsetting.
Get Your Free Web Security Check
For a limited time, I am offering to do a web security check of Business Websites built on a wordpress platform, because I know what a pain it is to have a site hacked.
This wordpress security scan will provide you with a report detailing the other 7 most significant vulnerabilities most commonly found on small business websites.
This website security check is normally a $39 value. The report you get back will inform you of which if any other vulnerabilities your site may have and instructions on what to do about them.
You can have your web guy deal with them for you, or I will offer my best possible price to do the work for you. You will be under no obligation to use my services, although I certainly hope a fair number of you will. 🙂