Watch a Hacker break into a WordPress Website!!! 😱

No video

Watch a Hacker break into a WordPress Website!!! 😱

Рет қаралды 6,224

3 ай бұрын

I hired an ethical hacker to try and break into a WordPress website, and this is what happened.
👉 SolidWP (affiliate link) - stellarwp.pxf....
👉 FREE THEMES www.pootlepres...
👉 Hire Me: www.pootlepres...
👉 Stay in touch with WordPress news: www.pootlepres...
👉 Pro WordPress Tutorials : clubpootle.com/
👉 Sponsor my KZfaq channel www.pootlepres...
Video summary
In this video, I shared how to prevent your WordPress website from being hacked using SolidWP. Here's a summary of the key points covered:
- Introduction:
- Discussed the collaboration with SolidWP, focusing on security, backups, and management.
- Highlighted that the video is sponsored but aimed to be informative by hiring an ethical hacker.
- Top Three Reasons WordPress Websites Get Hacked:
- **Weak Passwords**: Emphasized the importance of using strong passwords and avoiding common ones like "admin" or "password."
- **Outdated WordPress Core, Plugins, and Themes**: Stressed the need to keep everything updated to patch vulnerabilities.
- **Lack of Security Plugins**: Recommended using security plugins for additional protection.
- Demonstration by Ethical Hacker Ryan Dewhurst
- Ryan attempted to hack into a WordPress website without SolidWP protection using WP Scan.
- He identified vulnerabilities in outdated plugins and demonstrated how easy it is to exploit weak passwords.
- Ryan then tried to hack a site with SolidWP protection and failed due to enhanced security measures.
- SolidWP Security Features*
- Two-Factor Authentication (2FA): Adds an extra layer of security by requiring a token in addition to the password.
- Disabling the WordPress API: Prevents certain types of attacks.
- CAPTCHA: Prevents brute force attacks by requiring a CAPTCHA after a few failed login attempts.
- Blocking XML-RPC Interface: Prevents attacks through this API.
- Benefits of Using Security Plugins:
- Prevents password brute forcing.
- Implements firewalls to block malicious attacks.
- Adds overall hardening to WordPress security.
- Why do people hack websites:
- Crypto Mining: Hackers install miners to use server resources for cryptocurrency.
- Competitor Sabotage: Less common, but involves hacking competitors.
- Fame: Hackers gain recognition within their communities for notable hacks.

Пікірлер: 46

@aronuchukwuezugo615 Ай бұрын

Great video. But from what I hear from other WP security experts: there is more to securing a website than just using a security plugin. In short, they suggest security should be done in layers starting from the server layer down to the application layer. But yea, I get it. For beginners using a strong password and a security plugin should work 90% of the time.

@jamiewp Ай бұрын

Great points

@murasakistudio 2 ай бұрын

There are various steps that can be taken with .htaccess as well. You can even protect the .htaccess file itself.

@jamiewp 2 ай бұрын

Great points 👍

@murasakistudio 2 ай бұрын

@@jamiewp There is a WP expert I know from Belgium called Brecht Ryckaert. He works with one of the big web hosting providers in a senior role and has written a lot about WP security. He even runs a website that helps to recover hacked WP sites I believe. He wrote an eBook for Blocs on .htaccess, which I purchased and picked up some good tips from him regarding website security. There is a section in the book dedicated to WP and he wrote another book focussed entirely on WP security. It's an important topic and a few small steps can sometimes save a lot of stress.

@ShellCode-oo2cu 2 ай бұрын

The .htaccess file is protected by the web server by default. The default configuration of the Apache web server is Require all denied This protects access to all files with a dot (hide) in front from external access.

@polysteamgaming Ай бұрын

Also keep your wplogin server sided.

@Sonya_Makepeace 2 ай бұрын

Who in their right mind uses 3 letters for a password? BOB. LOL!. I've got a password breaker and it takes over 24 hours to scan properly, and it still couldn't get my password.

@jamiewp 2 ай бұрын

😬 You'd be amazed - i chatted to Ryan for over an hour and some of the stories 🙃

@naho534 2 ай бұрын

can you pass me your password cracker?

@1GiPhoner Ай бұрын

His method is not using a password breaker. Its cross checking with a list of other know weak passwords. Totally different concepts.

@polysteamgaming Ай бұрын

It generally takes about 3-6 hours to a day with hash cat using 4x 1060 GPU cards. This is 8 characters including special characters adding a 9th makes it take 100 times longer. Then the 10th is another 100x more than that. Bascially if you have an 8 character pass word add one of these $%^ and it will now take 100 times longer which is far too long to bother.

@BjarneOldrup 2 ай бұрын

The WordPress automatic updates of plugins and themes are surprisingly robust. I highly recommend it. But you have to enable it. And yes, in some rare situations, an automated update might break functionality until a fix is released. But it's much easier to clean up after a broken update, than a successful hack.

@jamiewp 2 ай бұрын

That's a great point 👍 Also tools like the new WordPress.com update scheduler will help wordpress.com/blog/2024/05/20/scheduled-plugin-updates/

@jadens9569 2 ай бұрын

This is a well put together and informative video. Thank you. I'm glad you popped up in my suggestions. I have liked and subscribed.

@jamiewp 2 ай бұрын

Thanks Jaden - good to have you onboard :)

@AdamWeeks610 2 ай бұрын

Great content, Jamie. You are always bringing your A-game.

@jamiewp 2 ай бұрын

Thanks Adam 🙏

@polysteamgaming Ай бұрын

Plugins are the most comromised I would say. Because of old plugins they can overwrite your SQL database. Basically the do this to deal shaddy ads to your visitors.

@aleksandarjevtimijevic 2 ай бұрын

It would be great if you could make a video on how to protect wordpress with .htaaces without plugin, with all the necessary codes. There is also code for the wp.config file. In addition, you can create a mu plugin or a custom plugin with codes such as smtp, google analytics, CPT and the like, in short, to reduce everything to code and have everything in one place without additional plugins. I would be happy to watch that video. Thank you.

@jamiewp 2 ай бұрын

Interesting idea - thank you 🙏

@arkofimagination 2 ай бұрын

From many videos I've watched, hardening the server is the first thing one must do. Then add necessary security on WordPress.

@ManosXCount 2 ай бұрын

If your Administration Password remains admin / bob -- Hardening Server will not do anything

@mikestottuk 2 ай бұрын

I might of missed it, but might be a good video follow up about how to use that wpscan CLI to test your own or client site setups

@jamiewp 2 ай бұрын

Great idea 👍

@jdccool 2 ай бұрын

Welp...a little nerve wracking, but very informative, good to know info. TY, Jamie and Ryan.

@jamiewp 2 ай бұрын

Thank you 🙏

@paulroos8517 2 ай бұрын

Thanks Jamie. Just a few remarks: I gonna watch the clip again. From what I've seen the strategy is to find a password. There other methods as well, such as : (1) installing the hacker's own file for index.php/index.html in one of the landing directories. That could be countered by installing a dummy index.php and index.html in each directory (dummies wherever the files are NOT IN USE) and then making all of these files (including the functioning files) write-protected (read-only). (2) The site owner should change the username with admin rights to another name, to make it more difficult for the hacker to log in. I had been thinking about using a child theme with a name not obvious related to the parent theme. Would that be sufficient to hide the parent theme name, from hackers? Security is important for e-commerce websites or any website that displays payment information. I see people use QR-codes with payment information and that makes me think, how possible is it for the hacker to overwrite that with his own information? To check a QR-code takes quite some effort since you cannot just eye-ball them?

@ShellCode-oo2cu 2 ай бұрын

If a hacker has managed to place an index.html or index.php on the web server, what should prevent him from naming the file phpshell.php? You cannot make the remaining files for Wordpress read-only, otherwise no update would work, whereby the files must be overwritten. Renaming the admin name is of no use, the user ID remains the same, it would make more sense to create a new admin account with which nothing is posted and to delete the old one, in addition you can assign a high user ID to the new admin user in the database.