A recent article on the Sucuri blog reveals that hackers are attempting to gain access to WordPress sites with a phishing attack. The Sucuri article does an excellent job of explaining the technical details of that attack, so in this post, I’d like to take a look at what phishing is, how it can affect WordPress site owners, and what they can do about it.
Phishing
Phishing is a technique that hackers use to trick people into giving them information or access to secure systems. The prototypical example of a phishing attack involves an attempt to extract banking details from unsuspecting users. The attacker sends an email that looks as if it comes from a bank, asking the user to follow a link and log in. When the user clicks on the link they are presented with what appears to be the bank’s log-in page. In reality, it is a fake — this is why you should always check to make sure that when entering sensitive information, you are actually on the site you think you are. When the user enters the log-in data, the criminal sees it and can then use it to log in to the real bank site.
In the recent phishing attack against WordPress users, they were sent an email that offered a free version of a premium plugin — taking advantage of the discounts that are everywhere on Black Friday and CyberMonday. When users clicked on the link they were taken to a site that was probably hosted on a hacked server. If they installed the plugin, they were installing code that the hacker wanted to execute on their site. By doing this, the hacker gets users to do their job for them.
Why Use Phishing Attacks On WordPress Sites
Hackers use phishing attacks because it’s a lot easier than trying to hack servers and WordPress installations. If they can trick the user into installing their malicious software, they can just sit back and wait for the compromised sites to fall under their control.
Hackers want WordPress users to install malicious code on their sites for a variety of reasons, but the major motivation is to infect that site’s users with malware. If you install a hacker’s code onto your site, it can download more code from other servers, it can rewrite your site’s content and change what your users see, and it can send your users to other sites. All of which is very bad for your users and for your site’s reputation. Eventually, Google will spot that your site is compromised and will stop sending visitors to it, so a hacked site is both embarrassing and harmful to traffic levels and revenue.
Don’t Install Anything in WordPress From Unverified Sources
This phishing attack demonstrates a more general point. WordPress users should not install either plugins or themes from unverified sources. If they do they might as well give hackers an open invitation to their site. Phishing is only one method that criminals use to get malicious code onto a site. They also use free themes and plugins found elsewhere to tempt users, which is why it’s unwise to Google for free themes and plugins — it’s much safer to get them from the WordPress Themes and the WordPress Plugins page.