What are Targeted and Non-Targeted WordPress Hack Attacks

By Robert Abela on July 08th, 2014 in WordPress Security Readings

If you have been reading about WordPress security and looking for WordPress security hacks and tweaks to apply to your WordPress or WordPress security plugins to protect it from hacker attacks, you will notice that there are two types of attacks, targeted and non-targeted WordPress hack attacks.

What is the difference between a targeted and non-targeted WordPress attacks and how can you protect your WordPress from both of these attacks? This article explains the difference between these two types of hack attacks and explains why some or the WordPress tweaks and hacks can protect you from one type of attack and not the other, and vice versa.

Non-Targeted WordPress Hack Attack

Non-targeted WordPress hacker attacks are automated attacks and are not specifically launched against WordPress websites only. For example if hackers are trying to exploit a known vulnerability in an old version of WordPress, they do not manually look for WordPress websites, check their version and see if they are vulnerable to such vulnerability or not.

Instead they use automated tools to send a specific HTTP requests that are used to exploit the vulnerability to a number of sites, typically a range of IP address. Depending on the HTTP responses received back, the tool determines if the target website is a vulnerable WordPress installation or not.

Protect WordPress from Non-Targeted Attacks

Therefore if you hide your version of WordPress, or even hide the fact that you are using WordPress for your sites you won’t be protecting your site from non-targeted WordPress hack attacks. To protect WordPress from non-targeted hack attacks follow the below recommendations:

  1. Keep all your software up to date; always use the latest and most secure version of WordPress, plugins and themes you use. This also applies to MySQL, Apache and any other software that is running on your web environment.
  2. Always uninstall and remove any unnecessary plugins, themes and any other components and files which are not being used.
  3. Do not use typical usernames such as admin, administrator and root for your WordPress administrator account. If you do rename the WordPress administrator account.
  4. Protect the WordPress Login and admin pages by adding an additional layer of authentication. Read Protect WordPress Login Page with HTTP Authentication for more information.
  5. Use strong passwords; this does not apply only to WordPress but to any other service or website you use online. If you have multiple users using WordPress, use a Plugin to create WordPress Password Policies to ensure users use strong passwords.

Targeted WordPress Hack Attack

Targeted hack attacks are specifically targeted towards your websites and blogs. There are several reasons why your WordPress site might be a victim of a targeted attack and the reason why your WordPress is a victim of a targeted attack is not of importance. What is important is to understand what happens in a targeted attack so you can protect your WordPress websites and blogs better.

Targeted attacks are more dangerous that non-targeted ones simply because rather than having a number automated tools scanning websites randomly, there is a human being analysing every detail about your website in the hope of finding something that could be exploited.

Anatomy of a Targeted WordPress Attack

At first the attacker will use automated tools to check if your version of WordPress is vulnerable to any known vulnerabilities. Since automated tools are used, hiding the version of your WordPress does not help in such scenarios.

The attacker will also try to determine what plugins are running on your WordPress and if any of them are vulnerable to a particular vulnerability. Again most of these tasks are done using automated tools.

The weakest links in WordPress security are typically the credentials. Therefore using automated tools the attacker will try to enumerate all the WordPress users and even launch a password dictionary attack against WordPress.

There are many other ways and means how to hack a WordPress blog or website and targeted attacks do not specifically take advantage of a security weakness in WordPress or one of its components. It could also be a security hole in the web server software or configuration etc, but the above three are the most common hack attack entry points.

Protect WordPress from Targeted Attacks

There are many WordPress hacks and tweaks you can apply to protect your WordPress from a targeted hack attack as highlighted in the below list:

  1. To start off with, all that applies to protect your WordPress from non-targeted WordPress attacks applies also to targeted attacks
  2. Secure and Protect your WordPress Administrator Account
  3. Enable WordPress SSL to access your WordPress login page and admin pages over an encrypted communication layer to avoid having your WordPress usernames and password hijacked
  4. Use a WordPress security monitoring and auditing plugin to keep track of everything that is happening on your WordPress and identify any suspicious activity before it becomes a security issue
  5. Use WordPress user roles to improve the security of WordPress by  ensuring every user only has the minimum required privileges to do the job
  6. Use WPScan WordPress security black box scanner and other tools to frequently scan and audit your WordPress website.

Protecting WordPress from All Types of Hacker Attacks

From time to time you might read about a particular WordPress security tweak that some people say it works while some others say it doesn’t, such as hiding your WordPress version. In such case we know that hiding the version of WordPress does not improve its security, so why implement such tweak in the first place? If you are dubious about a particular tweak, if the tweak does not impact the performance of your WordPress and is easy to implement go ahead and implement it. Better to be safe than sorry!

Apart from the above tips there are many other ways how to improve the security of your WordPress blogs and websites and protect them from both targeted and non-targeted WordPress hack attacks. Ideally you should keep yourself updated by subscribing to a WordPress security blog where frequent WordPress security tips, hacks and tweaks are published.

 

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

Leave a Reply

Your email address will not be published. Required fields are marked *