5 Tricks hackers use to gain a WP site access
- October 16, 2018
- Leave a comment
Are you running a website? Do you know the top 5 tricks that how an attacker can get access into your website and can ruin you & your business in no time? Or are you interested to know how websites ever get compromised?
This article is specially written for the people who are eager to learn these tricks. We will not only discuss the top 5 tricks and methods but mitigation for each step is also described as well.
Every website is running on a web server. Web server is a program (both hardware and software) that hosts websites; attackers usually target software vulnerabilities and configurations errors to compromise web servers.
Nowadays, network and OS level attacks can be well defended using proper network security measures such as firewalls and IDS etc. However, web servers are accessible from anywhere on the web which makes them less secured and more vulnerable to attacks.
Below report shows the web applications vulnerabilities statistics data.
Some most common Attacks:
There is a long list of attacks associated with the website. Some of them are mentioned below.
- Cookie Poisoning
- Insecure Storage
- Information Leakage
- Improper Error Handling
- Broken Account Management
- SQL Injection
- Parameter/Form Tampering
- Denial of Service
- Buffer overflow
- Log Tempering
- Invalidated Input
- Cross-site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Insecure Cryptographic storage
- DMZ Protocol Attack and many more
As mentioned above, there are many other associated attacks with the website. But in Press Tigers, we are running a team under Certified Ethical Hacker which aims to test website vulnerabilities and fix the issues. On the request of our client, we perform Security Testing against the developed website and mitigate the issues. If your website is hacked or you think that your website is compromised then you can contact us. Our expert engineers have regular security meetings and updates to deliver the best, optimized, efficient, and secure solutions.
Without wasting any more time, let’s jump over to the methodology performed by attackers to gain access of a website/web application.
1) Reconnaissance and Footprinting
This is the very first step and technique. Attacker may do an active or a passive reconnaissance. Attacker may try to get the more information about your server, website, business, and services running on a server.
The more information attacker has, the more successfully attack can be performed, it’s simply like a war. Before war, Army should have the proper and more information against the opponent. Same goes with the hacking scenario, attacker performs foot printing and banner grabbing techniques in which the attacker tries to get the sensitive information such as running OS (Operating System) and OS version etc on the targeted server.
After grabbing the required information, the attacker maps all the information and make the attack strategy.
Either change the Server Signature or disable the server signature, if you are running WordPress, then just turn off the WP Version. You may check following link you to change the server signature [Future].
2) Analyze Web Application
If you are running some CMS (Content Management System) or custom application, then attacker tries to check the Application version and vulnerabilities. Most of the applications and CMS give updates about the latest versions and fixes. So, attacker also searches for the vulnerabilities against a particular version from the website.
In this stage, attacker also identifies the entry points for the user input. If there is a form field that is not properly sanitized then it’s very dangerous for the website. Once attacker gets to know about the web applications and scans different vulnerabilities, then attacker maps the attack surface and start attack.
If you are running an old version then it’s highly recommended to update the application or CSM. You should get updated to the latest version regularly as soon as new patch is available.
If you are using WordPress then update your core and plugins to the latest versions. Single plugin can be door to compromise the whole website. You need to keep regular backups as well.
The Below picture describes the information that attacker can have and the set of attacks that can be performed against a particular information.
Attack that can be performed against a particular information
3) Attack Authentication Mechanism
Attackers can exploit design and implementation flaws in web applications such as failure to check password strength or insecure transportation of credentials to bypass authentication mechanisms.
Let’s suppose if you are running WordPress and attacker tries to login with fake username and password. The error message that appears by default for the username i.e. “Invalid username/password” and in case the attacker is using the correct password then WP will change the message to “The Password you entered for the email or username is incorrect”
These kinds of error messages clearly tell the attacker that System found the username but password is wrong in the second scenario, discussed above. Attacker knows the username and now the attacker is bit closer to gaining access.
Just update/change the default username/password error messages. It is also heavily recommended to change the default login URL and use below mentioned different techniques to highly secure the WP login.
- Google Captcha at time of Login / Register
- Login Lockdown
- Hide the default WordPress login URL if you are not accepting new registrations
- Click here to know how to add google captcha in login/register.
- Click here to check how to login lockdown.
- Click here to check how to hide WP login page or how to change default WP Login URL.
- Click here to check how to secure WP login/Register Pages.
4) Password Attacking
Password attacking is not limited to the below-defined sets. There are always thousands of possibilities to perform a single task when we particularly talk about Cyber Security/Web Security etc.
Attackers crack the login password by trying all possible values from a set of alphabets, numeric, and special characters.
In order to get the password, you need to follow some particular steps
(1) Collects some valid session ID values by sniffing traffic from authenticated users.
(2) Attackers then analyze captured session IDs to determine the session ID generation process such as the structure of session ID, the information that used to create it, encryption or hash algorithm used by the application.
(3) Search for the vulnerable session generation mechanisms that use session IDs composed by username or other information. Due to this, session can be exploited by easily guessing valid session IDs. It will fool the server and application logic as well.
(4) Attacker can implement brute force technique or rainbow technique to generate and test different values of session ID until he successfully gets access to the application.
Your session should be secured and use secure encryption/hashing methods. Do not use easy or dictionary passwords. Change your password after every 15 days. Use strong password with minimum 32 char length. Never use single password to any other service.
5) MITM Attack / Sniffing Attack
Main-in-the-Middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and web server. Attacker acts as a proxy in such a way that all the communication between the user and web server passes through him. In MITM attack, your account is compromised and attacker has the copy of your sensitive information.
Let’s discuss a case study
Suppose that you have a subscriber on your website. In case, you are using WordPress and subscribers have very less permissions. The subscriber opens your website and login by using his/her credentials. Assuming that the subscriber account is compromised and facing MITM situation. As attacker has low permission account credentials, attacker can regenerate the session, steal the cookie, and can get access of the higher user. This is called escalate permissions from the lowest permission account. This is bottom to top strategy.
Use SSL for all of your websites and communication. You can either buy a SSL certificate or get a free SSL by using Letsencrypt service. PressTigers team can implement both the free and paid version of SSL for your website and domain. Just contact us in case you need this service.
Give awareness to your users that you are using SSL and load an error if website is opening without SSL. Force the configurations to open your website very time with SSL. Must check that SSL is implemented properly. Encrypt your sensitive traffic and data.
There are a variety of attacks and new techniques are getting generated to compromising the Web Servers and Websites running on it. Either you are developer or businessman, PressTigers has equal opportunity for both of you. We deal with Cyber Security, Web Application Security, and mitigation. We have discussed the basic and common techniques and informed you how to mitigate and overcome by your own. But if you need our professional services, we are always here to serve you.
Written By: Ali Shan