We all have the mindset that “It will never happen to me.”, or “That stuff only happens to others.” on certain topics. One of the big ones for this is hacked or otherwise exploited websites. We see things in the news more and more where a company has their website hacked or data breached and it usually does not end well for them. Website security is not something that should be approached passively however. Else, you may find yourself on the wrong end of a data breach, and no one wants that!
Here, I’m going to walk through a few common vulnerabilities that are exploited in websites everywhere. Remember that hackers are just more advanced thieves, they are opportunists! They want an easy target, and explained here will help you not be one.
SQL is all to common in websites now a days. That isn’t a bad thing, but WordPress in particular always uses SQL databases in order to function. If you are unfamiliar with SQL, check out this post before proceeding further.
SQL injection is the process of querying a SQL database with a malicious “payload” such that a hacker can manipulate a database without permission to do so. This could mean they exfiltrate the login data of your users, or delete a valuable table inside of your database schema. This kind of attack is very dangerous and can cause potentially catastrophic damage to any website, but particularly a WordPress one. If one of the WP tables is damaged, it can break the site entirely!
This attack can be performed in several ways, but a common method is to put a SQL statement directly into a web form on your website. To protect against this kind of attack, you must verify the input of all your forms. This is also called sanitation, in terms of website input. Make sure that you only allow numbers, letters, or special characters when you have to!
Poor Website Configuration
You may be surprised, but many website logins still use their default configuration: as in username=admin, password=admin. Not as much of a “vulnerability” as it is being a little, unwise. If this sounds like your site, stop everything you are doing right now, and change your credentials! Threat actors can crawl websites and simply brute force these logins in less than a second. That’s embarrassing! Do not make yourself an easy target and fix this immediately.
Enumeration is synonymous to discovering. Username enumeration is finding out someones username for a site. This issue stems from feedback with your website’s login forms. When you incorrectly put in a username/password combination, what you should see is something like, “This combination is not valid”. If you were susceptible to this kind of enumeration, then when someone attempts to login incorrectly, your website would give feedback more like, “This username does not exist.”.
Why is this important? When you give information in the second example, now a potential threat actor knows that the username they entered does not exist on the site. As soon as they receive a different feedback, they know they have a correct username. In this way, they can build a list of usernames into your site.
To take it a step further, they can go through the signup process on your site and view your password requirements. If you don’t require special characters, or it must be a certain length, then they will know what kinds of passwords to try when they attempt to brute force a username’s login. I bet you never knew how much information you were giving out! Clever isn’t it?
Hackers are out there looking for simple targets. Fix these simple things and you will have a much better peace of mind on your security. For more WordPress hardening tips, check out this post. That is something that you can take to your customers too! More attacks explained in detail and how to defend them in later posts. Stay tuned.