Thousands of WordPress Websites Hijacked

Cybercriminals hijacked thousands of WordPress websites in September 2018. Learn how hackers carried out these attacks and what you can do to protect your business’s website.

Hackers hijacked thousands of websites in September 2018 and installed malicious code in them. All the sites were using the WordPress content management system. WordPress sites are a popular target for cybercriminals because they are so common.

The September Attacks

The security researchers who discovered the barrage of attacks in September believe that the cybercriminals accessed the sites through outdated WordPress plugins and themes. Once the hackers gained access, they modified the sites’ code for malicious purposes. For example, in some cases, the code sent site visitors to tech support scam pages. The cybercriminals also planted backdoors in the sites so they could easily access them in the future.

Don’t Become the Next Victim

Many small and midsized businesses use WordPress because it is free yet full-featured. If your business is one of them, you need to protect your WordPress site. A good place to start is to:

  • Keep the number of plugins and themes to a minimum. Each plugin and theme you use increases your site’s attack surface, so only use the ones your site needs.
  • Keep your site’s plugins and themes updated. It is important to install any updates released for your site’s plugins and themes. Besides providing new and improved features, the updates often patch any recently discovered security vulnerabilities. Outdated plugins and themes can give hackers the opening they need to access your site.
  • Update the WordPress CMS software. Although the hackers exploited outdated plugins and themes in the September 2018 attacks, they sometimes exploit vulnerabilities in the core WordPress software instead. Thus, you need to keep the core software updated.
  • Make sure your hosting service is doing its part. Your hosting service needs to keep its security measures up-to-date and regularly update its infrastructure. Failure to do so will leave your site vulnerable to cyberattacks.

There are also other measures you can take. For example, if visitors log in to any part of your WordPress site, you should implement a password policy or possibly use a two-step authentication system. We can evaluate your site and devise a customized plan to protect it from hackers.