Wordpress Sites Under Attack

Most of you have likely heard about Wordpress before. Wordpress is an open source content management system that started its path to success by becoming very popular among bloggers. Over the years, Wordpress has turned into one of the most frequently downloaded and installed web application on the Internet. With this popularity came a host of security issues: Due to the fact that Wordpress is so wide-spread and installed by the millions, it has turned into a prime target for hackers and also a solid security concern for hosting companies all over the world.

Why do hackers love to target Wordpress sites?

Not only Wordpress itself but also its vulnerabilities get distributed and spread around so that the bad guys learn very quickly about new exploits and how to get to them. Sure, Wordpress constantly releases new patches to fix such exposed vulnerabilities but let's face it: There are hundreds of thousands if not millions of Wordpress installations that sit on servers everywhere in the World, that do not receive those security updates immediately because their webmasters do not have the time or skill to install such patches.

Wordpress sites that are highly customized with additional third-party modules, tend to fall behind on cruicial security patch updates. It is a well known problem with Wordpress sites that they often stop functioning when they are upgraded to new releases as their third-party modules cannot keep up with the update and fail. The unfortunate result is that webmasters do not upgrade their Wordpress core as often and rigourously as they should, leaving their flanks open to hackers.

Also, there are many Wordpress sites out there that are abandonned for good: They were installed on a web hosting account and then left alone. Of course those installs will never be updated to new releases and they are an open invitation for hackers to do their evil thing.

Further, people use very weak or standard admin passwords that are easily guessed. A Wordpress site might even have the latest security patch installed but gets hacked due to weak passwords. Of course this is a very avoidable problem but again, due to the millions of sites out there, chances are that hackers can find a good percentage of sites that can be hijacked and exploited just due to the lack of security applied to them by their owners.

Wide-Spread Attacks on Wordpress Sites have been reported

I was made aware of the threats against Wordpress sites by an email sent to me by our Pinpoint Media Design team member, Lynda Reynolds. Lynda found an article on the technology blog Tech Crunch, reporting a massive, wide-spread attack on Wordpress sites, using large-scale criminal methodes, such as illegal bot nets to scan any Wordpress site they can find for vulnerabilities. Once a Wordpress site is hacked, it will be abused for even more sinister things, such as getting access to the web hosting account or even the entire hosting server.

Attackers scan for Wordpress sites everywhere

While I was doing some research on this article and also to make myself a picture about the credibility of the reporting by Tech Crunch, I happened to come across our own web stats. Taking a look at a list of "404 Page Not Found" errors, I couldn't believe what I saw: Not only our own site, but also all of our client sites, none of which are built on Wordpress by the way, are routinely being scanned by hackers for the presence of Wordpress login pages. Don't take my word for it: I am attaching a screenshot, showing the attempt to find Wordpress login pages on our server.

How can you protect yourself from those Wordpress Hackers?

I hate to break it to you, but if you need your website to make a living, and you heavily rely on it, consider getting rid of Wordpress: Sure, it is a commonly accepted and widely supported system, but just because there is a big buzz out there about it, doesn't mean you have no alternatives. There are many other very neat systems out there that are also slick but a lot less under scrutiny. Their code base may be even more advanced, making for a much more robust professional website. If you like to stick with open source, I would recommend Drupal. Drupal is a very well built content management framework with many additional third-party plugins to choose from. We at Pinpoint Media Design use Site.DFiner, our very own proprietary content management system. We keep the code base close to our vest and in a concerted effort between proper coding, constant monitoring and measures to secure web hosting, provide our clients with a rock-solid, ever evolving platform that has delivered results for over 11 years.