What Hackers Do With Compromised WordPress Sites

We often talk to site owners who are surprised that their sites are targeted by attackers. Most of them assume that if there isn’t any juicy data to steal, like credit card numbers, that compromising their site is a worthless exercise. Unfortunately they are wrong. Aside from data, a compromised site’s visitors can be monetized in various malicious ways.  The web server can be used to run malicious software and host content and the reputation of the domain name and IP address can be leveraged.

Last month we ran a survey that included the following open ended question for people who reported that their site had been compromised:

What did the hackers do to your site?

We received a total of 873 responses that could be categorized, which we did by hand. The chart below reflects the results. Many of the responses described multiple categories, so the percentages on the chart below deliberately add up to greater than 100%.

We did not include categories for “installed backdoor” or “installed malware”. We consider that to be more of a means to an end. Instead we focused on answering the question, “what’s in it for the attacker?”.

what_attackers_do_to_wordpress_sites

As you can see from the chart there are a wide variety of things that attackers are doing with compromised WordPress sites. Let’s take a look at each of them, so we can better understand the motive behind the attacks that we are constantly defending against.

Defaced Site / Took Offline

In some cases hackers replace your content with their own. The most common was political content from terrorist groups and the like. The next most common was hackers simply bragging that they hacked your site. In all of these cases the attacker is doing absolutely nothing to obscure what they have done, anyone who visits the site immediately knows that you’ve been hacked.

In other cases the attackers just destroy your site in some way, taking it offline. Based on what we see when performing forensic research on hacked sites, in the majority of these cases the attacker just screwed up what they were doing and accidentally took your site down.

Example of defaced website courtesy of opennet.net

 

What’s in it for the attacker?

For the attackers who replace your site with political propaganda, your site is just free advertising for their cause. Those that brag about taking your site down are looking for recognition.

Send Spam

Spam email continues to be a huge issue. According to Statistica, 54.4% of all email traffic on the internet was spam in December of 2015. According to our survey respondents, 19.8% of compromised WordPress sites are used to send email spam.

In many cases the site owner was not aware that it was happening for quite some time. In some cases they notice a slow down in site performance or a spike in server utilization that tips them off. Or their host recognizes it and alerts them.

Unfortunately a very high percentage don’t find out until their domain has been blacklisted by spam watchdog services like Spamhaus. If you depend on email for communication with your customers or others it can have devastating consequences.

What’s in it for the attacker?

The attacker gets two huge benefits. First they get to use the server resources that you’re paying for free of charge. Second, until they ruin your reputation, their email delivery benefits tremendously from originating from your domain and IP address. Ultimately they are trying to get people to click through to their malicious websites.

SEO Spam

There are a number of ways attackers can leverage your website to improve their search engine rankings. The first is to simply host pages on your domain, accruing the benefits of your Domain Authority and clean reputation. Example page below.

The next is to plant links throughout your site to the site(s) they want to give an SEO boost. Since backlinks are still the most important SEO ranking factor, an attacker who compromises a large number of sites can game search engine rankings in a big way.

Many of our respondents used the term “pharma hack” to describe this type of attack, because it has recently been used a lot to boost the rankings of pharmaceutical sales sites.

example_subsite

Example of an html page that an attacker hid on an infected site.

 

What’s in it for the attacker?

As I’m sure most of you know, ranking well for popular search terms is a great way to drive traffic to websites. By gaming the system with SEO spam, attackers are able to divert traffic away from legitimate sites toward their own.

Malicious Redirect

Redirects are an incredibly effective way for attackers to funnel traffic to malicious websites. The unsuspecting user doesn’t have to click on a hyperlink or advertisement for it to work, they are taken there directly.

Sometimes the attacker will take a very aggressive approach, redirecting all traffic to a malicious site or sites. But in many cases the attackers will employ measures to avoid detection, such as only redirecting some URL requests, and in some cases only activating the redirect for specific browsers or device types.

What’s in it for the attacker?

The motive here is simply to drive traffic to their malicious content.

Host Phishing Page

Phishing pages attempt to fool the visitor into providing sensitive information. In some cases they impersonate a bank or retailer and try to get you to give them valuable information like credit card numbers directly. In others they try to capture your username and password to various sites, including your WordPress site if you’re not careful.

Phishing page example courtesy of eff.org

 

What’s in it for the attacker?

The value of your credit card number is obvious. They can use other data to break into important online accounts, use it for social engineering or spear phishing attacks or to steal your identity.

Distribute Malware

Once they have compromised your site, attackers can install malware that in turn installs malware on your website visitor’s computers without their knowledge. This is an incredibly scary proposition for you as a site owner.

If Google detects that it is happening they will flag your site via their safe browsing program. This will cause your SEO traffic to drop significantly. For more details please read our recent blog post on the impact of a hacked website on SEO. Worse than that, site visitors that are infected will not be happy with you.

The impact to your reputation could be significant and long lasting. Luckily only 2.9% of respondents reported this.

What’s in it for the attacker?

Installing malware on hundreds or thousands of your site visitor’s computers gives the attacker direct access to steal information or wreak havoc on them.

Steal User Data

Given that most people we talk to assume that attackers are interested in stealing their data, we were surprised to learn that only 1.1% of our respondents reported it happening.

We think the main reason is that the majority of WordPress sites do not store sensitive data beyond user credentials for that site and maybe email addresses. It would also be very difficult for the owner of a hacked site to detect data theft if it occurred, so the numbers are likely understated.

What’s in it for the attacker?

Stolen user credentials could be used to regain entry to the site, even if the site has been cleaned. The username / password combinations can also be attempted on other sites in hopes that the user is repeating use of passwords.

Stolen email addresses can be used for spamming. Obviously more sensitive information like credit card numbers would be even more valuable.

Attack Site

In some cases an attacker will decide to use your web server as a platform to launch attacks on other websites. This is relatively rare based on our respondents, who only reported this happening 0.7% of the time.

What’s in it for the attacker?

The attacker gets to use your server free of charge for their malicious activities. They also are much more likely to slip past their targets’ defenses with the attack originating from your domain and IP address. At least until they ruin your reputation.

Ransomware

Ransomware is malicious software that blocks access to your website and demands that you pay a ransom in return for having access restored. This kind of attack has been receiving a lot of attention on blogs and in the press recently. So we were surprised to have only 0.6% of respondents report it.

A screenshot of the screen that TeslaCrypt displays when your files are encrypted. Courtesy Bromium Labs.

A screenshot of the screen that TeslaCrypt displays when your files are encrypted. Courtesy Bromium Labs.

 

What’s in it for the attacker?

If you don’t have backups that you were able to keep out of the hands of the attacker, you may decide that paying the ransom is worth it.

Host Malicious Content

Hackers will very often use your web server to host malicious files that they can call from other servers. They are essentially quietly using your hosting account as a file server.

What’s in it for the attacker?

The attacker gets to store their files free of charge on a server with a domain and IP address that have a squeaky clean reputation.

Referrer Spam

If you use Google Analytics you are likely familiar with referrer spam. Referrer spam is bot traffic to your site set up to look like it is coming from a fake referrer. The spammer is trying to get the website owner to check out where the traffic is coming from, driving traffic to the site.

Referrer spam example courtesty of phpmatters.com

 

What’s in it for the attacker?

As with a lot of the nefarious attacker activities we have already described, they get to use your server free of charge under the cover of your pristine IP address. Their ultimate goal is to drive traffic to one of their websites for reasons that often turn out to be malicious.

Conclusion

If you were of the opinion that your site couldn’t possibly be of interest to hackers, we hope that this post has changed your mind and given you some insight into their motives and methods.

Regardless of what you use your site for, how much traffic it gets or how inexpensive your hosting plan is, an attacker can figure out how to make use of it if they can break in. To learn about how attackers gain access to WordPress sites, check out our blog post from last month.

Did you enjoy this post? Share it!

Comments

29 Comments
  • A very interesting read, thank you for putting this together. While I have only seen a few of these examples it is interesting to see the frequency of them based on your sample. Many of these attacks require access directly to the hosting. While it is conceivable that they may all come through WordPress through the addition of a plugin, I suspect it is unlikely in all cases. Did you get any feedback that suggested the sites themselves were clean, but the hosting was compromised? Have the recent changes in WordPress; for example the automatic generation of strong passwords made it more difficult for hackers to get into a site through a brute force attack?

  • Great article - it certainly answers the most popular myth most business owners have: why would someone want to attack my web site?

    I would suggest that 95% of the hacked site we have had to fix we attacked for Spamming of emails: either they setup an entire web site inside the clients site or they setup a spamming engine to send out as many emails as possible before they are shut down.

    We now deploy Wordfence on all our Wordpress web sites and we have found it to be very helpful in knowing the nature and location of the attackers.

    As you mentioned in previous blog entry - the most prevalent way hackers get in is via old plugins or to a lesser extent - old themes. So eliminating unused plugins and themes and keeping the active ones up to date is a great start to protecting your web site.

    Further hardening of your web site can also help keep the hackers out.

  • Thanks for this summary. Almost all of my website clients tell me that "we have nothing to steal. Why would anyone want to hack us?" This gives me a single place to send them to read about why security is so important, no matter how small you are.

    • That's what I thought myself! I Hadn't heard of WordPress hacking and really didn't see why anyone would bother on little, non-e-commerce sites like ours... until they did big time. Suffered infected files all through the file system, redirects and user/password hacks - a big mess.

      Lessons learned!... and huge thanks for Wordfence for their products and information on this topic.

  • Really useful read, especially the examples of each type of attack. My personal experience of compromised WordPress sites is very similar to your stats (email spam, porn links), with malware and user data hacks much more of a concern for my Magento clients.

  • I congratulate you all . a beautiful subject, website against hackers. you need to take precautions.

  • GREAT ARTICLE! I was literally just asked this by a client. I came up with the SEO and Spam off the top of my head. But your article is very thorough.

    The most common ones I have seen match your top three: deface, SEO and Spam.

    Nice article. Thanks.

  • Very helpful article!

    I agree - some clients feel that they wouldn't be a target because they don't have anything to "steal" by hackers.

  • The site was compromised during development. We found that the hacker inserted code in pages to display ads from another website. With the number of Nagging Ads on many sites, one does not know if the Ads are real of if the site is hacked. The Ads look legitimate.

    .

  • I am surprised not to see ad posting anywhere on your list. One site I manage was hacked by someone who was extremely determined to get Google ads on the site. I was puzzled by this, as the hacker had access to site traffic stats, and they didn't seem to justify the persistence of his/her efforts.

    Ultimately I prevailed (with the help of Wordfence), but I'm still mystified as to why the hacker went to so much trouble when the site couldn't have generated more than a few dollars a month, at most. However, it's a great example to persuade other clients that there is no such thing as a safe neighborhood on the internet.

    I also find the Wordfence dashboard widget helpful for this, and make sure it is installed on every client site. It is more persuasive that the danger is real than anything I can say, and I find that they become much more interested in eliminating risky usernames, strengthening passwords, and other security measures once they see how many people are trying to access their site with their own eyes!

    MANY thanks for all you do. I can't say enough good things about Wordfence.

  • Interesting and nice coverage, but you fail to tell us how they do this and how to eliminate SEO spam. Google will ding and even label your site as hacked thus degrading your ranking. So Google becomes quite pernicious in these instances.

    How to track the source and eliminate these links? That is the goal that you do not discuss. Hosting companies are clueless with regards to these vital subjects.

    • Hi Philip,

      We've done plenty of work in that area along with others. See this article and please dive into our Learning Center - it is an excellent resource for WP admins and security pros.

      Mark.

  • Very informative article. Thanks for sharing. Is Referrer Spam a sign that a website has been hacked? We see that many a times and keep on adding them under filters in Google Analytics.

    • Referrer Spam isn't a sign that your site has been hacked. It is originating from another server, potentially one that has been compromised by an attacker. It is very common, in fact I haven't seen an example of a site yet that didn't have it showing up in Google Analytics to some extent.

  • I had a client last year that was hacked, restored, hacked, restored again and then demolished in a final hacking. We never did find out what the security leak was. I'm convinced it was either the host (fatcow) or a plugin (client was running about 30 of them).

    The hackers (a group out of Pakastan) left a message in a text file “hacked by Pak Haxor” They hit wordpress sites. I still don’t know why.

  • Thanks for another well-written and very informative article that will help us all to teach clients the value of security. I suspect the less-obvious types of hack may be far more common than suggested, simply because folks can't report what they haven't noticed. Without a system like WordFence scanning files for changes, many site owners might never discover that their site was delivering malware to their visitors, for instance.

  • Ransomware not only affects access to your website, it Encrypts All Files on a PC. Although it may not be so common, it does pack a huge punch if your PC gets infected.

    I had someone infected with ransomware on their PC. All Photos, Documents, and other files were not accessible... Backups? Yeah, but that secondary Hard Disk was installed as a D: Secondary Drive and it also was infected. Being beyond my pay grade, to help them out I referred them to a local PC repair shop. Long story short - Pay the ransom and hope the people behind the ransomeware oblige and remove the ransomware... Or Format and start over loosing everything!

    So although Ransomeware has a small % of infections, it does need to be taken seriously.

  • Thank you for an informative post and a very useful plug-in.

  • Great article. However, I sure wish you folks covered ways to fix or prevent the problems. Or are we to assume that Wordfence will do this already?

    • Hi Ken,

      Yes we do a lot of it already, but please see wordfence.com/learn/ which is a massive learning center we created free for exactly that purpose.

      Mark.

  • This is a very timely article as we were just discussing this at the weekend with a group of business friends.

    All of the above are big problems and client analytics has become a mess/headache off the back of such hacks and Referral Spam! grrrr

    We linked out to this as soon as we saw it (I'm sure you'll notice it).

    Great work!

  • One category we found multiple times was FTP accounts created that looked genuine as created in the name of the user of the WP site, and containing collected information that were heavily redistributed. There was no signs of hack on the website itself but the infrastructure was hosting large amount of encrypted files. Reaching the max traffic allowance on the site after just a week indicated that there was a problem.

    We also found that many hacking were happening through a soft Server and that WP did not get compromised initially but the attacker came directly through hacking the server. As a result, all sites on the same IP were infected. This is how we could prove to the Hosting company that it was not a WP deficiency but all other sites on this farm were compromised.

    Bernard Collin, Safecoms

  • Great article, really informative.

    Is there some chance to see it translated in other languages (italian in my case) or translate it in some way with full credits (asking much i know)? I would love to show this to some clients.

    • Thanks for the feedback Andrea, we will consider adding multi-language versions.

  • Thanks for another great article and keepin' the bad guys out with Wordfence.

  • Thanks for this article. I wrote something similar in German on my blog. http://www.henning-uhle.eu/informatik/was-hacker-mit-webseiten-anstellen-koennen Mayber the pingback is not coming.

    Thank you for your work. I would use Wordfence on my blog, but my hoster does not allow. And so I do my very best to keep the bad guys out by myself.

  • One of the better, more comprehensive WordPress security posts we've seen. There definitely seems to be even more of a spike in 2016. Hopefully WP core can make security a majority priority for future releases.

  • The problem is that most of my clients think they are too small, they are not interesting and that hackers prefer to attack the famous sites ..

    Unfortunately, all data can interest hackers ...