WordPress software is an excellent product for creating websites, but it has 2 major security flaws: Password Cracking and Plug-in/Theme vulnerability. Hackers have taken advantage of these vulnerabilities to access WordPress systems and install malicious programming code so up to 13 search engines, including Google, take your customers to a Financial Loan Application website !!
Even more bothersome, if you accept credit cards with your website, the hackers may have seen your private credit card and Paypal authorization codes, called ‘API Credentials’, to run transactions !!
This means that people searching for cheap, easy financial loans at 13 search engines including Google are being falsely presented with your site as a place to get them !! That is bad for many reasons.
The hacker has gotten into your WordPress system and installed (1) Malicious Programming Code, (2) Fake Plugin Files and/or (3) Malicious MySQL Database entries that tell search engines that it’s OK to show your “www.yoursite.com” instead of their own. This all HAS TO BE REMOVED !!
NOTE: If you type in the bogus link in a browser (Explorer, Chrome, Firefox, etc.), the page WILL NOT BE FOUND; it only comes up through search engines. Entering the link doesn’t bring up the web page because IT DOES NOT EXIST. Hackers have tricked (spoofed) search engines into showing your website name instead of their own.
WordPress is an excellent product for creating websites. But it has 2 major security flaws: Password Cracking and Plug-in/Theme vulnerability. Hackers have taken advantage of vulnerabilities to access your WordPress system and install malicious programming code to take your customers to a financial loan application website.
1) Password Cracking
Hackers do what’s called ‘Brute Force’ password cracking with software that takes a list of thousands of common passwords and tries logging into your WordPress system with them. And at a rate of several hundred passwords per minute !! Unfortunately, WordPress doesn’t stop anyone from trying to log in thousands of times per hour.
Then they can be in your WordPress system as an administrator and cause severe damage. They usually add themselves as a new user with their own username/password so they can log into your site any time.
Now if you do have a long, unusual password, the WordPress site can still be hacked using sequential numbers/letters/symbols. It may take days, trying billions of probable password combinations, but they can get in.
We just discussed the password. As for the other half of logging in, the ‘username’, most WordPress users use the default username ‘admin,’ which hackers count on. Does that include you ?
2) Plug-in/Theme vulnerability
Plugins are add-ons to WordPress that allow it to do many, many things. Themes provide front end styling of your WordPress site and define: the overall design and style, font styling, colors, widget locations, page layouts (or templates), styles for blog posts and blog archives, and additional stylistic details.
Before going on, let me tell you about something called a ‘backdoor’: This is a way of bypassing the normal WordPress login screen and entering your WordPress system with malicious intent. It’s like entering the backdoor of a house undetected.
There are thousands of Plug-ins and Themes available and many are free. But do you know who wrote them ? It may have been an amateur who unknowingly left backdoor access to your WordPress system. Or it may have been written by a malicious professional who gives you a great product; but also gave you a backdoor for hackers to get into WordPress.
This can hurt your business in several ways:
If you accept credit cards with your website, the hackers may have seen your private credit card authorization codes, called ‘API Credentials’. These should all be changed asap !!
Credit card merchant accounts like ‘Authorize.net’ have an ‘API Transaction Key’.
Paypal has ‘API Signature’, ‘API Username’ and ‘API Password’.
UPS Shipping has ‘UPS Access Key’, ‘UPS Password’, ‘UPS User ID’ and ‘UPS Account #’.
Your WordPress system may have other API codes to change.
Your company’s credibility can be damaged if associated with illicit activity. And because a Website owner cannot readily see when they have been hacked, the online reputation of a legitimate company or individual can be seriously damaged before the bogus code can be removed.
Search engine ranking and optimization (SEO) is very important for everyone’s website. This hacking messes with your SEO, and your site’s traffic drops dramatically. If associated with illicit activity, Google can:
Level 1: Drop your search engine ranking.
Level 2: Remove your sites from search result lists.
Level 3: Penalize your site by ‘Blacklisting’ it and tagging it in search results as “This website may be compromised.”
You may start getting calls from loan applicants asking, “Where’s my loan money ?” You’ll reply, “What in the world are you talking about ?” The person calling thinks you’re behind the situation because they believe they applied for a loan at your website; but they were actually at the hacker’s.
If someone applied for a loan and, say, the next week their identity was stolen, you could be accused of being behind it.
This can be fixed by the best malware company around, Sucuri, Inc. They’ve been in business for 6 years and offer website malware removal, scanning, monitoring and more. They handle all types of hacks, infections, website defacements, blacklisting and backdoors and will completely fix and clean your site – period. And no tacked-on, additional fees. One reasonable price for Unlimited Cleanups for a year. Then monitor it to let you know if a problem ever happens.
Sucuri is the leading provider of web-based integrity monitoring, malware detection, and malware removal solutions – delivered as a service. Sucuri’s web monitoring solution is used today by more than 50,000 sites worldwide. They work 24/7/365 to keep websites clean and malware free. And they keep up-to-date of all WordPress vulnerabilities.
If you’d like, you can communicate with Sucuri right now by any method:
Email: info@sucuri.net
Phone: 888-873-0817
Live chat online. Click here and go to their site – Then look for the chat window in the lower right corner of screen.
2013 = 190,000
2012 = 170,000
2011 = 144,000
2010 = 98,000
2009 = 81,000
Now, you think, just tell search engines to delete the links !? Well, that’s fine, but the hacked programming code/files/database entries within your WordPress system will just bring them back !!
There are the 3 types of website links:
#1. Internal Link = Links on your website that link to other pages of your own website.
#2. Outgoing Link = Links on your website that go out to other websites.
#3. Incoming Link (or Backlink) = Links from other websites to yours.
With the loan hack, your customers think this is simply #1 above, an Internal link. They’re being tricked. It appears to be #1 above, an Internal Link, because it LOOKS LIKE an internal link on your website, but isn’t.
You may think it’s #2 above, and Outgoing Link, but isn’t: There is no link from your website out to the hackers. People are at completely at the hacker’s website but the browser at the top is displaying your ‘www.yoursite.com’ address.
Sucuri knows exactly what to do and will fix it for you fast !! Click here to go to Sucuri now and get this taken care of right !!
Option | Result |
---|---|
Fix this yourself. |
It’ll take time to research the problem, find a solution and make the repairs. But can you be sure you fixed it correctly ? |
Have people who handle your website fix it. |
Firstly, I’d be angry that they let you get in this situation in the first place. And now you’re to pay them to fix it !?! It’ll cost hunderds of dollars for a programmer’s time to research the problem, find a solution and make the repairs. And then you can’t be sure they fixed it correctly. |
Delete the website and recreate it. |
It’ll take alot of time to recreate the website again. Unless you do it yourself, it’ll cost some serious money. |
Have a specialist, Sucuri, fix it |
WordPress Specialists repair your site fast and for a fair price. It’s the most effective way. Click here to go to Sucuri now and get this taken care of !! |
In general, hackers can use websites to send spam email, crash servers, make money, plant further virus and so much more.
With this particular ‘Loan Hack’, normal traffic to your website is maliciously redirected to the hacker’s loan site. This will typically be a legitimate or illegitimate site. There are 3 scenarios as to the popularity of this scheme:
1) The legitimate loan site may offer an affiliate program. The hacker sends business there, generates legitimate sales for them and then earns a commission; at your expense.
2) The loan site may be illegitimate and cause victims to pay hackers a fee for a loan application but never receive a loan. The hacker pockets the application fee.
3) Lastly, the loan site may be illegitimate and cause victims to give hackers personal information like SS # when applying for a loan. Then the hackers steal their identity; or sell the information on the black market.
BTW, Hackers have wisely chosen to ‘disturb the water as little as possible’ while going about their dirty business. The majority of hackers do not want you to know that they have tampered with your website, as the first thing a website owner will do when they know that their website has been compromised is to fix it. No visible damage is actually done to your site, as everything looks normal to your visitors and to yourself.
Trivia:
You may wonder why they went after a small or medium sized website like yours. Well, hackers don’t go after huge corporations with elaborate security measures in place. They thrive off of smaller website owners who think they’re not the target. After all, smaller sites are easier to attack.
Hackers are difficult to stop and bring to justice because, many times, they’re in countries outside the USA and, thus, out of our jurisdiction.
With this particular ‘Loan Hack’, I believe scenario #1 above is being used here. The hackers want to send as many people as possible to a legitimate loans website so people will apply for a loan. This loans website has an affiliate program so when the site gets a sale, the hacker earns a commission; at your expense
If they created a website of their own, it would take years to acquire a good Google ranking, if at all. So they ‘latch onto’ honest websites by hacking them and putting malicious programming code in which redirects ‘normal’ traffic landing on the hacked site off to the loans payoff site.
All of the loan sites they are promoting appear higher in Google results than they otherwise would. The Google search engine ranks the list of hits for a given website according to (among other factors) the number of external sites that link to it. By inserting the bogus code into an unsuspecting victim’s site, the hack in effect links that site to the victim’s site. If done on a large enough scale, this tactic can result in the hacker’s site showing up near the tops of various hit lists resulting from keyword-based searches. All of the hacked websites link to each other, creating an interlinking and inter-promotion of hacked sites which promotes the whole illicit network.
And all of this happens at search engines, unbeknownst to the honest website owner. Only Google’s search engine crawler (and also others like Yahoo, Bing, WebCrawler, HotBot, Blingo, Blekko, Dogpile, Ixquick, Qwant, Info, DuckDuckGo, Yandex.ru) receives the changed content.
Side note: The hacker’s programming code is set up to not just latch onto Some of your website, but mainly the Most Popular Pages of your website. They go after the cream of the crop !
Hackers do what’s called ‘Brute Force’ password cracking with software that takes a list of thousands of common passwords and tries logging into your WordPress system with them. And at a rate of several hundred passwords per minute !!
If that fails, they try sequential numbers/letters/symbols. It takes hours or days to try billions of probable password combinations. If it gets a click, the program gets access to your administrator account.
Trivia:
Most WordPress users use default username ‘admin’ so a hacker already knows half of the information to login ! Hackers can easily confirm that ‘admin’ is a valid the username: At your WordPress login screen, they enter the username ‘admin’ and just anything for password. A message then comes up saying ‘The password you entered for the username admin is incorrect.’ Well, now the hacker has confirmed the username ‘admin’ is a valid one !! Then they can move on to cracking the password.
2.2 % of passwords used are made up from the top 25 list.
Using a very fast computer, it’s possible to crack every Windows alphanumeric password under 8 characters in less than 6 hours.
And cracking every alphanumeric password under 6 characters would take less than 5 hours.
Keep WordPress, Plug-ins and Themes updated so you’re using the latest, secure versions of them. Trivia: 83 % of hacked WordPress sites are using old versions of software.
Disable plug-ins you aren’t using; better yet, delete them. Especially delete the “Askimet” plug-in if it’s not being used. It comes with WordPress and can allow a backdoor for hackers.
Only get Plug-ins and Themes from trusted sources.
After your site is hack-free, I recommend 2 fantastic security plug-ins; and they’re free, too !!: ‘Sucuri Security’ and ‘WordFence’. Combined, they have a tremendous # of features to keep your site secure. One big one: To prevent future ‘Brute Force’ password cracking, ‘Wordfence’ can limit the # of WordPress login attempts ! 🙂
Periodically check your WordPress Users to see if there’s one that you don’t recognize. If there is one, delete it asap !!
Don’t ever user the default ‘admin’ username.
Use an online password generator, if possible, to generate great passwords for all users.
If you don’t use WordPress as a blog, disable comments (this is one of the most common attack vectors). If you really want them, look into using ‘Intense Debate’ or ‘Disqus’ software.
Look at the permissions for each user; everyone does not need to have administrator rights.
If you have a second WordPress system installed for Development use, have that development directory password protected. You’re the only one in the world who needs access to it. (This is usually done with your Internet Provider)
This is technical, but the ‘wp-config.php’ file holds important information and can be protected more by moving it up one directory to the calling/root directory. WordPress will find it in that more secure location alright. Also, consider changing permission of that file from 644 to 400 so only owner can read it.
This is technical, but the ‘wp-config.php’ file should have long, encrypted security ‘keys’ and ‘salts’ in them. These make your site harder to hack and access harder to crack by adding random elements to the password. An online key generator can be used to create excellent ones which are long, random and complicated. You can change these at any point in time to invalidate all existing cookies; although it means that all users will have to log in again.
This is technical, but set your file and directory permissions properly per WordPress recommendations.
At Google, create an account with ‘Google Webmaster tools’. This is a free service offered by Google that helps you monitor and maintain your site’s presence in Google Search results. You don’t have to sign up for ‘Webmaster Tools’ for your site to be included in Google’s search results, but doing so can help you understand how Google views your site, keeps it healthy and optimizes it’s performance in search results.
There is also a clear pattern in the passwords being guessed. This is natural as people have a very bad habit of choosing very weak passwords. Unfortunately, the things that are easy for us to remember are also quite easy to guess. The following passwords come out on top as the most frequently guessed ones:
admin | sysadmin | manager | adm | user | qwerty |
root | aaa | support | administrator | test | admin123 |
123456 | 123123 | baseball | password | 1234 | 1234567 |
12345 | welcome | pass | abc123 | golf | 1111 |
monkey | iloveyou | dragon | demo | admin123 | soccer |
q1w2e3 | password1 | password | pass | admin12 | admin1 |
987654321 | 123456 | 111111 | 000000 | passwd | user |
user1 | trigger | test123 | test | system | master |
sunshine | michelle | iloveu | friend | adminadmin | 666666 |
654321 | 555555 | 444444 | 333333 | 222222 | 1234567890 |
123456789 | 12345678 | 123 | 1234 | wordpress1 | winner |
webmaster1 | webmaster | user1234567890 | testtest | sex | service |
server | rootroot | root123 | p@ssword | private | home123 |
123321 | 123qwe | 112233 | 12345qwe | 777777 | 123 |
jesus | 696969 | batman | letmein | 999999 | 000000 |
baseball | ashley | football | ninja | mustang | 121212 |
About the Author: Firstly, I hope this web page has given you information and assisted you in some way. My name is Mark Allbaugh and I own the domain ‘www.alltrackusa.com’. I converted the site to WordPress in 2013/14 and found in January of 2015 that it had been hacked. I had discovered on a search in Google (and 12 other search engines) that there were hundreds of links supposedly at my site to obtain cheap, easy-to-get ‘Financial Loans’. I was shocked !! Then when I typed the loan links into a browser manually, they were Not Found !? Being a computer programmer since 1982, I had to know what in the world was going on. So I spent weeks researching and reading all about WordPress vulnerabilities (This loan hack, by the way, is technically called a ‘Pharma’ Hack). In that research, I discovered that there were thousands of other victims, most not even knowing they had been hacked. So now I’m a customer of Sucuri, Inc. and, as an affiliate, am working to get these victim’s sites cleaned up.
This benefits all involved (except, of course, the hacker):
Victim: Their website is cleaned up professionally and ‘hardened’ (made more secure)
Me: Earn an affiliate profit
Sucuri: Gets another customer to protect
Hacker: One less victim/website sending people to the loan website
Even if victims don’t use Sucuri’s services, I’m pleased to inform them of the situation so they can get it rectified asap by whatever means possible. 🙂
Thank you – Mark Allbaugh
I can be contacted at: fix-loan-hack@alltrackusa.com