WordPress Vulnerabilities

These days it’s hard not to find articles regarding Cyber-Security issues within WordPress. Between major ecommerce plugins having issues with their Flexible Checkout Fields to various issues with XSS within several different plug-ins, it can feel like its not a matter of if, but when your WordPress site will have issues.

This post goes over what you can do as an owner of a WordPress site to bolster the security on your site, what to look out for as early indications that you are hacked, and what to do if the unthinkable happens and your site has been hacked.

As it was reported by Łukasz Spryszak, WooCommerce was made aware of a major issue involving their Flexible Checkout Fields that allowed hackers to create admin accounts within the victims WordPress site. As a result, users of the plugin have been told to keep an eye on their user accounts with specific concern for any new accounts that are created that should not exist.

Below are some helpful tips to detecting malicious behavior in your WordPress site and ways to prevent any hackers from gaining control or access.

Know Your Site

The more familiar you are with your site and the users on your site the less likely attacks like the WooCommerce attack are going to be able to take hold. Any strange new plugins that you didn’t install. Any new accounts that are made without your knowledge. Anything strange that occurs should inform you as the user to look deeper into your account.

Know Your Plugins

It can be tempting to have as many plugins to accomplish as many things as possible within your WordPress. This can lead to having plugins installed that you are not even utilizing. Make sure that you keep up with what your plugins are installed to do. If you are not using them, uninstall them.

In addition to only installing what you need. Be sure to do research into the production companies that are providing the plugin and the history of the plugin itself. A quick internet search of the plugin name should reveal any sordid history the plugin may have. If there have been issues, pay attention to what happened after the bug was made public. Did the company release a patch ASAP or did they wait until social pressure forced their hand?

Update Update Update

Not just your theme! Keep your plugins up to date. As mentioned above, if there is an issue with a plugin, they will likely release a patch to fix the issue. This patch can ONLY be effective if you install the update containing the patch. I know it can be easy to get bogged down with notifications in today’s internet but your WordPress (and the plugins that allow your WordPress to run effectively) is the face of your company, keep it updated.

Backups Are Your Friend

There is a reason that virtually every webhost and web design system has outlined ways to backup your entire site on an offline source. Primarily it is because we are all human and humans make mistakes. Having a backup before any major changes (or a regular backup) secures the way the site was and gives us something to go back to if the changes mess something up. Secondarily, if you backup your site offline and a hacker holds your site hostage or deletes your information you can use the backup to keep yourself from having to start over again.

Backups are the first thing anyone that has had to completely redo their site from the ground after a hack WISHES they had done before the incident occurred. Don’t end up in that trap. Search the internet for how to information regarding backups particular to your hosting provider and backups pertaining to WordPress and follow the steps. Keep your site and save yourself the headaches.

Finally, what do you do if your users tell you that they have tried to go to your site only to find an internet pharmacy or other redirect?

First of all, take a deep breath. This is not the time to panic. This is the time to utilize the steps you took to prevent hacking (specifically the tip above about BACKUPS) to get your site back.

The first thing you want to do (After you have calmed down), is review all the accounts you have added to your webhost site as well as the WordPress site. Look for accounts that exist that should not and delete those accounts. This process will vary based on your webhost service but WordPress has a well written My Site Was Hacked FAQ page that can help with the WordPress side of things.

If a hacker has erased your site’s information or they are holding your information hostage BUT you have followed this advice post and have a backup offline you can follow the instructions posted by almost all web hosting sites to restore your backup and get back to the site you had before the attack. If you do not have a backup, then you can either hope internet archival sites like the Wayback Machine have captured your site so you can recreate it, or you can use this as an excuse to completely start your site over from scratch.

Randy Rice is a lifelong tech enthusiast with experience in company security compliance assessments. He has been with JLGOV since 2019.