How Hackers can access WordPress Websites

Richard Norman was kind enough to come along to the Glasgow SEO Meetup and talk about how hackers can easily access your WordPress websites and had some general tips and advice to demonstrate how hackers can get a whole heap of other information from you, showing you Phishing techniques and how these guys can easily trick you into handing over all your data. This was all done with a view of being able to protect yourself from this happening to you or your business, watch the video to find out everything Richard spoke about.

Transcribed version of the video

Good evening. How’re you doing? My name’s Richard Norman. So I should explain who I am this evening. My name, well my name is Richard Norman, and I am basically a software architect, I’m a programmer. I’m somebody that writes code, I’m somebody that can access a bridge into a number of other communities.

So, one of the things I do, is I’m very involved obviously with the technical community and innovation. I also bridge into the infosec and the cybersecurity community. So what I really wanted to do tonight was come along and try to give you some really good advice and knowledge bombs. Right? Straight in from the security community about how you run your websites, about how you secure your websites, and some of the things that you’re going to look out for, some of the things that potentially might be a bit scary for you.

So I’ve asked you tonight here, just to go to blackpage.co.uk, nothing bad’s going to happen if you have your browser open. All right? What we’re gonna` do is do some fun stuff with this. What really what I’m trying to do – watch yourself – what I’m really going to try to do tonight is give you three kind of really good lessons about how you can secure your websites.

About three things that are really important for you need to be aware of, and if you’re gonna exist on the wider internet. So, if you’ve gone to the black page, I’m going to ask Connor now to open it – we’ve never done this, by the way, before, so if it opens a bit horribly wrong, right, this is what happens.

So I’m going to explain what this is. So, we’ve asked you to go to the black page, and by going to the black page, what you’ve done, you should see this page here, which is asking you to participate in the demo. If it switches it back to the other one, this is the tool, this is the framework that’s picked you up because you’ve gone to that website.

Live Phishing Example

So essentially, if you look on the black page on your own phones, if you f12 this what you would see is a little bit of JavaScript. Just a single line of script tag, right? With hook.gs on it. And just by having that bit of script on a website, what it’s done is it’s hooked you right? And this is what you’re looking at here. You’re looking at all your phones, all your IP addresses of everybody’s phones, everybody’s devices that have gone to that website. There’s nothing on that website. If you look at our website, there are about twenty characters of html. Just the h2 tags, just the message.

And you can see down here, it says mobile tree. You can see all the various exploits and things that we can do to you just because you’ve joined that website. Just because you’ve gone to that website. Just because you went there, just because that script tag executed. This is all the stuff, if Connor scrolls down it. There some really, really nasty… none of this stuff we’re doing to you tonight. We’re just having a wee bit of fun tonight, right?

But there’s a load of stuff in there and you can see the variety of stuff that’s coming in here. This is how dangerous it is. This is the sort of stuff that’s out there to come and get you. Right? I don’t want to scare you too much.  So what this is, we go back to the other page. If Connor can switch across quickly to the top we’re going to try to put it back to the other one, into the actual black page. It’s at the top, right at the very top. It’s just because it’s been… you’ve got it over there? And so what this is going to do is going to try to do a few of these kinds of things to you, if he finds it. Got it? No, scroll up it’s because he’s got it on…go right on there.

Exploits available when Phishing

So he’s going to run a couple of exploits on this browser, on the screen and also Colin’s one, which has actually gone off Pretend its 1997. This is the days of Microsoft, right? Remember those days? Got this one? Just about, here we go. Right, takes to be certain cause we’re on our phone and all these fucking wifi is not working. There we go Remember the day’s when we used to ask these things? Hey do you wanna upgrade your browser?

To explain what this is doing its all JavaScript. All right so this is the same technology that most of you use when we’re doing anticipated leave. You know finally do it in the end and find when you protect and you  right in the screen and you pop up your message box right, to say hey! Join my mailing list. Right? This is exactly the same technology. Not just the warnings. There’s no anti-virus kicking at this point. Nobody’s telling you anything. Nobody’s saying this is bad, right? This is just stand up technology. Right?

And just all of a single Javascript, then you guys use last pass, right? You’re gonna use password managers, you use this. I have to look as this stuff right okay. Mad, right?. And so this is all happening in the browser. This is all basic because controls the browser. You can see this here. It’s a prompt digit. You wanna save end to your last part. You were just sitting there looking at the browser and this in front of you. Maybe use Gmail. Maybe you’re a regular Gmail user and you wanna Gmail, right? Got it? Just about.

Not really. And so, all this is done in the background, right? Just of a single line of script tag, We’re gonna get there finally. technology there you go, fantastic, wait now you gonna log in to Gmail. And all of this is controlled from his other lap, he’s not touching the see the laptop is running this. There’s nobody touching this, there’s nobody touching the keys, nobody’s touching mouse, right? It’s doing this on its own. And this is classy fishing techniques. And this is all happening off a single XSS and a single script tag. Yeah? So, we head back to the presentation. Probably we come back to the presentation now. This is a difficult platform

Cross Site Scripting

He’s had to do this. Had to do all of this. Nice page. There we go. So what it says is known as Cross Site Scripting. This is my advice to you. Right? A single script tag, you can see it there. It says there’s a down often a single script tag.

This framework that we just shown you here, its called BEF. It’s called the Browser Exploitation Framework, right? It’s a tool that bout for penetration testers for hackers. It’s freely available. Just go online right now and download it and set up for yourself if you wanna try it. Right? It’s all there. And take control of somebody’s browser. And so what the lesson is here and hat the message I’m about to bring the first one of my lessons for you tonight is be very very careful of two things.

First of all the bottom one, which is who do you like access to your work site. Like who do you like have authoring access to your website, because if you like somebody that can offer you a webpage on your website, and they could wanted the script tags onto one of your webpages well guess what? All of your customers, get hit with one of these. Right? But that’s not the really scary thing cause you’re thinking what I don’t giving him the access to my website, But, what you could do is actually really exposed on this is the second put the XSS Cross Site Scripting.

And so it’s any circumstance but you ask a user, Every time you put a form upon your webpage, right? With a submit button, let us know what you think. Fill on these comments, right? Contact forms 7, word press comments that’s gonna think. You have to be very conscious of not allowing script tags. Because the moment you allow somebody to place a script tag into your phone box, right? They can have a submit button and just jack all your users. Right? Does this make sense? Has anyone here jacked a backline off a forum? I know has. Right? He’s not paying attention. You must have done that has is probably what’s going on and you been into a forum post. You’ve gone on to the forum and said ‘ hey I wanna back line off that forum so I’m gonna AAA’ blah blah blah and you manage to get a backline off that forum.

Well this is exactly the same stuff. If you’re developing stuff, if you’re creating new things, right? In PHP, you have to explicitly handle this stuff. You have to check for this stuff. You have to make sure the people aren’t allowed to do this sort of kinds of stuff. Otherwise, you expose yourself to a Cross Site Scripting attack.

All it takes somebody to turn it on, copy and paste that script tag into your forum box, hit the submit button and guess what? They’ve got all of your users. Wow, isn’t that fun? Right? So last lesson, number 1, you understand, what I’m talking about here, you comfortable with this?  So that’s lesson number 1.

WordPress Plugins are Vulnerable?

So lesson number two here, tonight is all about plug-ins and word press. Right? Jill get used of word press as an actually word press core the actual build of word press is fairly secure. Yes, there’s a million of users using word press. If there’s an exploit, if there’s a hole, a gap, something found, actually they’re failing you to fix it, right? There are a million users using it. But you don’t word see for plugins. See for things.

You’re probably looking at your phones now Changing your website will re-direct you to different places where some of these can pop up on your screens. Right? Because we’ve got control of your browsers. Right? Just by having a single script tag on that its there. So, these are the concerns for the word press users. Right? The activation is back. The files are still there. Right? PHP file on your server. Right? Okay, it doesn’t show up on your word press but you know what the PHP found that’s still there? Somebody that can still access it.

If there’s a scanner that gets run on top of your website and it finds that PHP file, even if it’s an old plugin and you left it there for the last six months, you haven’t bought new cause you activated, well guess what they can just exploit it. Right? So delete your plugins. Don’t leave them sitting there. Don’t leave them lying. Right?

The second thing is its really difficult for me to explain this to you. As not many of you are developers. Generally speaking among the development communities quite annoying these days. That’s used to be the back home. Those plugin developers aren’t aware of this. For the record, For any of you interested in PHP, you need to write parametrized.

The third thing here is in the back, there the last one where well-known file upload exploit. Which is basically any plugin that allows the upload of a file, especially if you can change the name of the file. Because I can upload a file into your website right? And I can change the name of that file to ..forward/..forward/ content. Plugin steams, WP login.PHP, right? And you’re like sorry that’s not what I asked for, I thought you were uploading an image file.

Well no actually I’m gonna upload a PHP file to your website right? The plugin developers doing that? Soon to have died, the plugin quickly just to sell it and done that, he’s checking for that? Right? So be very very conscious, a very clock is all your side right? That allows a file to upload. Because it may be vulnerable, this is where most of your major vulnerabilities come from in word press. Right?

There are a few other major providers who just weren’t checking for this, and people of the number were allowed to uploads file and overwrite the files that actually system fails of your actual word press site, right? Does that make sense? The general rule here is if you’re not using a plugin delete it, right? Don’t leave it sitting there. If you’ve got good site maintenance, if you got good attitudes on how you run your websites, make sure that you delete these plugins. Don’t let them sit there deactivated. Right? They’re still there. People can still use them. Yes? And again, if there’s a maintenance plugin, there’s not actually a plugin that you use for the users, if users aren’t actively using this on a day to day basis, delete it. If its tiny PNG, if its a file that it’s a plugin that allows you to place files website, delete it. It doesn’t need to be there.

Have a good attitude that says I’m gonna tidy a website up and I’m gonna keep it nice and clean. I’m not gonna leave stop lying around. Right? Because you’re just exposing people.

So this is lesson number 2, for your word press site. So I know all of you are using word press if you’re in digital, yes? So, get ready for the really scary one.

Never use the same password on two separate platforms !!!

I am gonna say this, I’m gonna repeatedly say this to you, right? Never use the same passwords with two different platforms, right? Never do that. See if your password in your LinkedIn is the same as your password in your Facebook, your password in your Uber, is the same as the password in your Gaming Forum that you signed up for last week, right? You’re a fucking idiot. You deserve to be hacked. I’m sorry you are. Because what people are doing, what the hacker’s doing is to create compilation files. Every time a platform gets breached, you can see some of the names are up there. Linkedin, Uber, Yahoo, Ashley Margison. Every time one of these platforms get breached, every time they extract five hundred thousand, two million users, they’re all added to massive down file.

These compilation files are circulated around in the internet and it contains huge amount of passwords and usernames. You see your passwords and usernames in there. And its the same across all of your websites, across your C panel, across your LinkedIn, across your Facebook, across your this, they’re looking for that. They can tell as soon as they see two breaches with the same login and password, there’s a target. There’s somebody that we’re going to get.  It’s a really really scary thing. Here it goes. It’s quite awkward to do this for him. We’ve seen files been circulated across, even on the darknet, this was on the darknet, no no

So the ideas is the basically risking these massive files. Fifty-five million usernames have committed to LinkedIn. There’s a massive amount of suffix circulating all across the internet. What it needs to be doing is keeping a unique password for every single system that you log into. Every single place that you log into should have a different password. What it means is that one of these platforms get breached, we all end up getting hacked, and somebody gets a password for all that system, they’re all key forums. Look at this.

There are 1.4 billion usernames and passwords in these files. Look at the amount of stuff that is on here. This data contains almost 2.7 billion records. This is every hack that’s ever happened. All compiled into one single big download. Just nice and easy for all those hackers that couldn’t get hold of, right? And so, if you’ve passwords in there, the same passwords you use across 15 different sites, will do you know what it does? Sorry, right. They can walk into really really fancy. So if you wanna test this, can you bring it back down again?

All you’re gonna do is put an email in here, pick daddies in your lap right? Jump and land on your feet. How many times has gallery been exposed? Just the occasional. There you go. Two sites. He’s been breached in. He’s been breached twice. That means they have his password from 2 different signup sites. If he’s used the same passwords on lots of different places, that means they get access to everything. Absolutely everything. And these things are fairly available. As I said, they’re not small systems. It’s LinkedIn, its Google, its Yahoo.

That doesn’t happen that often. And if you’re careful and its just one password case, somebody gets all of your Uber accounts. It’s not the end of the world.  See if its the same password you used in two different places. You’re in real trouble. So how do you protect yourself against this? What you really need is a password manager. You need a password manager that’s gonna allow you to keep different passwords on different systems. If you’re not doing get help.

I guarantee it. For all of you who ought to have, you’ll find that your password is in there. That means that your password and your login and your email details are somewhere on one of these platforms. So the real concern, and this is the number one way that people get hacked. This is the number one way that people get hacked. You take us back to the presentation site.

This is about an awkward one this one, there we go. So, there we go there, there are all the details there. But do you wanna use this with us? Nah, I’ll be honest. Go and use a password manager. We use epass as its file base and use one of the line ones, there are lots of plugins, there are lots of things that make it really easy to use it, go and make excuses.

Okay, so the good news, the good news is actually the security has been tightened up in recent times. So browsers are a lot more secure than they used to be. Chrome, Firefox actually won’t let you execute exe files, and don’t let you execute batch files. A lot of the actual infrastructures, Windows 10 and MAC` is a lot more stronger in recent times. It’s not as bad as it used to be. Ah, its dead. Nobody is using the internet explorer, please don’t for fuck’s sake use an internet explorer.

There’s the advice, if you keep your workplace sites tidy, don’t leave plugins don’t deactivate or delete them when you’re not using them. Keep them tidy anyway.

Use your unique password on different platforms. So you’re not sharing passwords, long passwords, nobody’s gonna guess it, doesn’t matter. If they manage to breach some system, they’ve got to and use it somewhere else. Run word fence or similar security plugins on your website. It starts picking this up, starts giving you some kind of fence against it. Know how to spot fishing in browsers or emails. So some of the stuff that shows earlier on the BEF, some of those kinds of slightly older looking sign-ins, some of the crappy stuff. You guys are all digital.

You are all professionals, you know how to spot this shit. Please, don’t fall for it. Do it where people post content to your site. Do it, let them have word press logins to your sites, I know its an account right and that allows him to offer a new post, and it means to write on your content and do it directly. Actually, it’s really dangerous.

All we have to do is slip a script tight in there and they’ll BEF you, right? Another much worse things about BEF is? And again, don’t try not to be very conscious of plugins that allow people to sign up the stuff. Allows anything that basically a form that they can fill in, either ends up with you doing your concern or seen up on the website is potentially vulnerable to cross-site scripts at time. There’s an old classic saying here, don’t look like grey.

If your security is tighter than everybody else, well there’s a very good chance to actually it’s a numbers game. They try to hack a lot of people lots of times they got a big list of people to do, they try you. And then these looking at the logs and the websites, and then they actually bother to recent times, you’ll see that 50 approach is every single day they’re trying your WPN admin file, they’re trying your PHP admin file, there are lots of automatic scripting attacks happening every single day.

The last thing on there I would say is very difficult to defend against anybody that’s gonna target you. It’s actually very different to defend against it because we’re specifically in something against you. Be very nice to people who use technology like us. That’s my advice.

Okay. If you want to be sure, if you want to be absolutely certain, then the good news is there is a profession for this shit. It’s called penetration testing. There are guys like there that do the stuff for a living. Their job is to use scanners and tools, and they can automatically check all your sites, run these scars across your websites and try to analyze to see if they can find any holes in your sites. If you’re really genuinely concerned about this stuff, go and hire a pen tester or get used to yourself. It’s not all bad news. But be very very conscious of the bleach compilations that are going on, that using passwords on multiple occasions is just a bad idea in the modern world. That’s the big thing that everybody’s using. That will make sense. That’s the end of my presentation. I hope you guys enjoyed this!

seo profile image

Craig Campbell

I am a Glasgow based SEO expert who has been doing SEO for 17 years.

  • social media icon
  • social media icon
  • social media icon

Online Courses