Is WordPress vulnerable to malware or hacking?

If you own a computer, you’ve likely heard about the importance of antivirus software to prevent your computer from being hacked. You may not have heard as much about issues arising from website attacks, but the threat is just as real — and sometimes even more so because of the treasure trove of data you may have stored on your site. To learn more, here’s a look at a new malware targeting WordPress, called BabaYaga, and some strategies you can take to protect your site.

BabaYaga, the newest WordPress malware threat

Unfortunately, malware is nothing new to WordPress. Because websites can store email addresses and even credit card information, they’re a popular target for hackers. Gaining traction in June 2018, BabaYaga is the latest threat, and it specifically targets WordPress sites. WordFence recently published a lengthy analysis of BabaYaga, but here are the basics:

  • BabaYaga’s primary purpose is to generate spam content and host it on the victim’s site. These pages are loaded with keywords designed to attract search engine traffic, and they redirect to affiliate marketing services. Essentially, BabaYaga attempts to use your site and resources to drive traffic to theirs so they can earn affiliate money.
  • BabaYaga infects several different files in different ways. That way, if one infected file is discovered, another might remain active.
  • What makes BabaYaga stand out most is that it removes any other malware on a website. This might sound like a good thing, but the goal is to make it harder to detect and keep it running. If other malware on your site is detected, you’d probably install a security plugin and delete everything, including BabaYaga. If other malware causes your site to stop working, BabaYaga can no longer work, so their main focus is making sure your site runs “normally” — as far as you can tell.
  • WordFence describes their above methodology as “unusually comprehensive and effective for spam droppers.”
  • If a site is infected, an attacker has access to a file manager, shell command execution, and more. Essentially, a site infected with BabaYaga gives the attacker almost full control.

Malware vs. brute force attacks

In general, hackers use two primary methods to gain access to something — be it your computer or your website. A brute force attack is essentially the digital equivalent of kicking in your front door. The attacker repeatedly tries to guess your account login and password to gain access. That’s why it’s important to have a strong password, and on a WordPress website, use a login other than “admin” because that means an attacker has to correctly guess your username and your password.

Contrary to a brute force attack, a malware attack seeks to find a back way into your computer or website, generally by installing software that grants them access. Think of it like cutting a hole in your roof — your front door is still locked and secure, but attackers found a way around it.

Should WordPress be avoided due to security risks?

WordPress is a popular target for hacking because it is a popular platform. Well over 25% of websites on the internet use WordPress, and some studies think that number is closer to 30% or even 35%. That means hackers can design one tool and target a large percentage of websites. This doesn’t mean WordPress is innately less secure than other platforms, however.

On a WordPress site, malware generally finds its way to your site through a hacked plugin. Typically, plugins susceptible to hacking are ones their developers have abandoned. In addition to keeping your themes and plugins up to date, check to see if any plugins you use haven’t been updated in awhile.

Ultimately, chances are low of your website getting hacked if you follow basic security guidelines. Install a security plugin to help, create a secure password, and keep an eye on things and you’ll be much less likely to encounter trouble.