Securing your WordPress site from attacks

by Wynn Jones, Lead Penetration Tester Published on: 21st July 2022
Securing your WordPress site from attacks

Researchers are ringing the alarm bells about a “sudden” spike in cyber-attacks attempting to exploit an unpatched flaw in a WordPress plugin called Kaswara Modern WPBakery Page Builder Addons.

The vulnerability tracked as CVE-2021-24284, the issue is rated 10.0 on the CVSS vulnerability scoring system. This is as high as one can get, and relates to an unauthenticated arbitrary file upload that could be abused to gain code execution, permitting attackers to seize control of unpatched WordPress sites.

Although the bug was originally disclosed in April 2021 by the WordPress security company, it continues to remain unresolved to date. To make matters worse, the plugin has been closed and is no longer actively maintained.

Approximately 26% of the Internet is made-up of WordPress websites.

In the United Kingdom alone there are known to be in excess of 1.8 million websites which currently use this very popular content management system. As such having such a big footprint on the Internet will make it a very tempting target for any cybercriminal.

The attacks have emanated from 10,215 IP addresses, with most of the exploitation attempts narrowed down to 10 IP addresses. These involve uploading a ZIP archive containing a malicious PHP file that allows the attacker to upload rogue files to the infected website.

The goal of the campaign, it appears, is to insert code into otherwise legitimate JavaScript files and redirect site visitors to malicious websites.

It is not just this plugin that is vulnerable.

WordPress alone is a very powerful and extremely easy to use platform and the most wonderful thing about it about it is that it is free to use. There are numerous free templates and plugins that have been written, and many of these have been written by, shall we say gifted amateurs. Even some of the more professionally created plugins and templates have been compiled using below average security standards.

One of the biggest problems is that most people have absolutely no idea just how easy it can be to hack into a WordPress content management system. There is this almost blind faith that the person they get to build their website actually understands how to secure the website from being attacked. However, most people who actually build WordPress websites are, again, gifted amateurs or have absolutely no training whatsoever in cyber security on how to properly lockdown a website.

Unfortunately, our friends the cybercriminals, and not so ethical hackers, are all too aware of how to detect and exploit any vulnerabilities that they discover and gain access to the website on an administrative level.

Why would somebody want to hack my website?

They can’t possibly extract any money from it, we do not store any sensitive information in there, we are only a small business and cannot be of any interest to cyber criminals.

This is exactly the kind of attitude that average cybercriminal is looking for. The truth is that they can use your website to either gain access to a neighbour’s website on the same hosting provider or, more commonly, they will use the website to attract other visitors that they acquire from phishing attacks. From there they can download viruses or malware onto a victim’s machine and can take control of that computer. They could also use the website as a storage point or a link to something like ransomware. This of course will only lead to a considerable loss of reputation for the company that owns the website in the first place.

Securing WordPress websites is reasonably easy, if you have the necessary knowledge and skill set. With the correct security plugins and configuration, it is simple to ensure that the cybercriminals bypass your website and head onto an easier target. There are times that it is as simple as that. All you are looking to do is to make your website as difficult as possible to hack into.

What can you do to check your website is secure?

We have the necessary skill sets and, more importantly, experience of exactly how to secure a WordPress website.

If you have a WordPress website and you are unsure as to how secure it is, get in touch to discuss, we’ll run a free scan of your site and let you know if you require any help.

Speak to our engineers and experts.