5 common security attack in WordPress

The most common WordPress security issues occur before or just after your site has been compromised. The goal of a hack is to gain unauthorized access to your WordPress site on an administrator-level, either from the frontend (your WordPress dashboard) or on the server side (by inserting scripts or files).

1. Brute Force Attacks

Brute force attacks begin with automated software that’s used to guess a password (or an answer) to get behind a locked “digital door.” The automated software can run billions of combinations of letters, numbers, and symbols over and over until it becomes statistically correct and cracks the code.

The higher the encryption on the data, the longer it takes to break through the door and obtain the desired data. Sometimes this process can take a few minutes; other times it can go on for years before it’s able to break the code. Brute force attacks are a serious threat capable of affecting millions of accounts and tarnishing a business’s reputation.

How Brute Force Attacks Work

  1. An attacker decides on their intended target: either an encrypted file that has been stolen (offline) or a login page (online).
  2. They use a computer program that’s configured to attempt entry by trying usernames, along with millions of password combinations. (They may also attempt one password with many usernames.)
  3. Once the correct username and password combination is found, the attacker is able to access the secure data.

2. Remote file inclusion

Remote file inclusion (RFI) is a type of vulnerability found in web applications that allows an attacker to supply a remote file to the application. The file can be dynamically processed in a variety of ways, including code execution on the server, disclosure of sensitive information, and client-side code execution.

RFI occurs when the path of a file taken as input is not properly sanitized, allowing an external URL to be processed over HTTP. This type of vulnerability presents itself most commonly in PHP applications, but it can also be found in ASP, JSP, and other technologies.

Preventing RFI

RFI can be a particularly nasty vulnerability, especially when an attacker can get a shell and execute commands like we demonstrated. Luckily, preventing RFI is easier than you think.

The most effective method of prevention is to avoid including files as user-supplied input altogether. This will drastically reduce the attack surface, making it nearly impossible for an opponent to include malicious files. If this isn’t feasible, a whitelist of files allowed to be included can be utilized by the application.

In any case, modern versions of PHP will typically disable the allow_url_include option by default, which prevents attackers from including malicious files remotely.

3. SQL Injection (SQLi)

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database.

An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more. SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization (Open Web Application Security Project) lists injections in their OWASP Top 10 2017 document as the number one threat to web application security.

How and Why Is an SQL Injection Attack Performed

To make an SQL Injection attack, an attacker must first find vulnerable user inputs within the web page or web application. A web page or web application that has an SQL Injection vulnerability uses such user input directly in an SQL query. The attacker can create input content. Such content is often called a malicious payload and is the key part of the attack. After the attacker sends this content, malicious SQL commands are executed in the database.

SQL is a query language that was designed to manage data stored in relational databases. You can use it to access, modify, and delete data. Many web applications and websites store all the data in SQL databases. In some cases, you can also use SQL commands to run operating system commands. Therefore, a successful SQL Injection attack can have very serious consequences.

  • Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges.
  • SQL lets you select and output data from the database. An SQL Injection vulnerability could allow the attacker to gain complete access to all data in a database server.
  • SQL also lets you alter data in a database and add new data. For example, in a financial application, an attacker could use SQL Injection to alter balances, void transactions, or transfer money to their account.
  • You can use SQL to delete records from a database, even drop tables. Even if the administrator makes database backups, deletion of data could affect application availability until the database is restored. Also, backups may not cover the most recent data.
  • In some database servers, you can access the operating system using the database server. This may be intentional or accidental. In such case, an attacker could use an SQL Injection as the initial vector and then attack the internal network behind a firewall.

4. Cross-Site Scripting (XSS) attacks

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws.

How does XSS work?

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim’s browser, the attacker can fully compromise their interaction with the application.

Cross-site scripting

What are the types of XSS attacks?

There are three main types of XSS attacks. These are:

  • Reflected XSS, where the malicious script comes from the current HTTP request.
  • Stored XSS, where the malicious script comes from the website’s database.
  • DOM based XSS, where the vulnerability exists in client-side code rather than server-side code.

5. Malware

A malware attack is a type of cyberattack in which malware or malicious software performs activities on the victim’s computer system, usually without his/her knowledge.

Nowadays, people use words like malware, spyware, and ransomware a lot more than the word “virus.” What qualifies something a traditional virus as opposed to a more recent malware designation? And are viruses still around?

To understand the virus, we need to look at the original biological meaning of the word. Biological viruses can make you sick; they inject their own code (DNA or RNA) into the host cell as a means of replication. This code makes the host cell to generate many copies of the virus an ultimately bursts, sending new viruses everywhere.

Computer viruses operate via similar means. Unlike some malware programs which are fully executable in nature, computer viruses tend to be a smaller piece of code that can piggyback on other computer applications and files. Viruses replicate only when conditions are right. So they can be triggered by a certain date and time, opening a specific program, etc.

After a virus is triggered, it will try to copy itself and spread, infecting other files and programs along the way. Sometimes viruses replicate and spread over a network. Similar to real viruses, copies of the computer viruses can be somewhat different from the original making it hard for antivirus software to eliminate them.

Some viruses come encrypted, making detection even more complicated. A virus, biological or digital, wouldn’t be a problem if all they did was just copy themselves. But computer viruses can contain a payload that causes damage to your computer.

Viruses and malware are different from each other. For example, the famous ILOVEYOU attack back in 2000 was caused by a standalone software script disguised as a love letter and sent out of an email attachment. Since it doesn’t contain any host program, it would be accurately referred to as a worm rather than a virus.

Many of the modern malware codes like ransomware, spyware, and adware are also standalone software programs that can spread to other computers and execute on their own.

Malware programs used in cybercrimes typically have some simple and well-known objectives. Some of those objectives are:

Make money by stealing sensitive information such as online banking logins, credit card numbers or intellectual properties. This is termed “identity theft,” and involves stealing users online credentials and using that to impersonate them. Cybercriminals can access the victim’s bank accounts and use them in a number of ways including physical theft, digitally laundering money or selling the victim’s data to other criminals

Another objective of malware attacks is to extort money. This is often achieved by encrypting the user’s data with a password and asking money from the victim to decrypt it. This method is known as a “ransomware attack” and can be very lucrative given the high value that the individual or business places on digital information.

Be the first to comment

Leave a Reply

Your email address will not be published.