How the f*** did my website get hacked?

Written by Tom Greenwood - October 17, 2012

Article read time: 4 minutes

In 2012 we’ve seen a big increase in the number of people being affected by computer viruses and by hacking attempts on their website.  David Watson of IT support company Evolve Computers confirmed that this is a general trend throughout the industry and that IT security issues have surged in the past year.

We’ve responded by making it our business to ensure that we are at the forefront of WordPress security.We’ve recruited a dedicated security guru, Marco, to our team.We’ve developed our own WordPress security testing and hardening procedure and we’ve established the UK’s first dedicated secure WordPress hosting service, Granula.

But just like Batman, we can’t protect everyone all of the time.

Whether it is a virus on your computer or a hack on your website, it is a painful experience that nobody wants to have to go through, and to quote one of our clients who got hacked a few months ago, it is understandable that you might ask “How the f*** did my website get hacked?

Web hacker photo by devdsp

So how did your website get hacked?

The first thing to point out is that no website or computer system is ever 100% secure.  Today’s news about hacker Gary McKinnon is a powerful reminder of that.  He did after all manage to get into the US militaries computer systems from his bedroom in London.

Hackers are always developing new ways to penetrate websites, and even after the event, it is not always possible to know exactly how they did it.  However, most hackers are not Gary McKinnon and their techniques are more predictable and exploit known vulnerabilities.  So what vulnerabilities should you be aware of?

Top 10 WordPress Security Vulnerabilities

This is not an exhaustive list, but these are some of the most common vulnerabilities that enable hackers to exploit people’s WordPress sites.Many of these also apply to other types of website.

  1. Weak usernames and passwords –  It sounds petty, but guessing your WordPress password, FTP password or cPanel password is literally the easiest way to get into your website.  I bet your WordPress username is ‘admin’. If I’m right, I’m already half way to getting in!
  2. Out of date code – The WordPress core and many plugins recieve regular security updates to ensure that they are always secure, just like anti-virus software is constantly being update to respond to new threats.  So if your code is not updated, it may well be vulnerable to the latest threats.
  3. Insecure code – Sometimes there are things in the code of themes or plugins (or other scripts that you’re using) that present inherent insecurities.  For example, uses of eval and base64 are common problems.  Similarly, the original version of timthumb.php had a security hole (the latest version has fixed the issue).
  4. File Permissions – It is common to find folders inside FTP that have very relaxed file permissions.  They don’t ever need to be set higher than 755, so check all of your folders in FTP and updated them if required.
  5. Out of date PHP – The code on your website might be absolutely fine, but your web server could be running an old version of PHP that is known to have security holes.
  6. Magic Quotes – Magic quotes is a now deprecated PHP function, but if you’re on an older PHP versio and your site was configured to allow the use of magic quotes then you could be at risk
  7. Unsecured backups – Taking a backup of your website is always a good idea, but if you leave that backup unsecured on your web server then you have just handed the hacker all of the code, usernames and passwords for your site on a plate.  Be careful how you store your backups, and if you use a backup plugin, check  that it isn’t putting you at risk.
  8. Insecure shared hosting – If you’re on a cheap shared hosting plan, then your website is sharing the same space as loads of other websites, many of which will not be well maintained and some of which might be downright dodgy.  If the server isn’t well configured to segregate each account, attacks can spread from other peoples sites onto yours.
  9. Redundant code – Sometimes, people have old code sitting on their web server that they are no longer using, not realising that even if these scripts are not being used, they are still theoretically active and can be used by hackers.  These redundant scipts are often a greater risk than the current code on your site because you probably are not maintaining it anymore.
  10. Password Theft – It doesn’t matter how secure your website and hosting are, if you login o your website from an unsecured connection, share your credentials in email and IM, or access your website on a public computer then there will always be a risk that someone will steal your login details.

Hopefully this list has given you some ideas of how your own website security could be improved.  Chances are at least one of the above vulnerabilities applies to you.  If you know of other vulnerabilities that could affect WordPress users, please do share your experiences in the comments below.