Recently one of my close friend’s WordPress site got attacked and he approached for a possible solution. After some basic assessment I found that the attacker had accessed the database and deleted the entries from wp_users table. So after restoring the values, the site started working smoothly. This experience led to the inspiration for writing this article. Before we start, let’s find the reasons for a possible attack:
- Site Hosted on a Vulnerable Server: Most of the times a WordPress site gets attacked just because of a vulnerable server since WordPress is highly secured from various attacks. So running after cheap web hosts isn’t a good decision.
- Badly Configured WordPress Installation: Most of the times the site isn’t properly configured in terms of security which leads to many exploits.
Now let’s consider a attack scenario to understand the topic in a better way:
An attacker first of all attacks the most vulnerable site hosted on a server. After that he simply uploads a script known as shell and tries to traverse the whole server, which results in access to many websites. Most of the times a SymLink Attack is done to get access to all the domains hosted on that particular server. This results to access the wp-config.php file of any site using WordPress. Now the attacker gets access to the database and simply adds a new user to the database or modifies the password of the present user. Finally he logs into the admin panel and modifies any theme or plugin with the shell and thus gains full access.