Watch a Hacker break into a WordPress Website!!! 😱
Ғылым және технология
I hired an ethical hacker to try and break into a WordPress website, and this is what happened.
👉 SolidWP (affiliate link) - stellarwp.pxf.io/c/3844775/70...
👉 FREE THEMES www.pootlepress.com/free-word...
👉 Hire Me: www.pootlepress.com/wordpress...
👉 Stay in touch with WordPress news: www.pootlepress.com/sign-up-t...
👉 Pro WordPress Tutorials : clubpootle.com/
👉 Sponsor my KZread channel www.pootlepress.com/youtube-v...
Video summary
In this video, I shared how to prevent your WordPress website from being hacked using SolidWP. Here's a summary of the key points covered:
- Introduction:
- Discussed the collaboration with SolidWP, focusing on security, backups, and management.
- Highlighted that the video is sponsored but aimed to be informative by hiring an ethical hacker.
- Top Three Reasons WordPress Websites Get Hacked:
- **Weak Passwords**: Emphasized the importance of using strong passwords and avoiding common ones like "admin" or "password."
- **Outdated WordPress Core, Plugins, and Themes**: Stressed the need to keep everything updated to patch vulnerabilities.
- **Lack of Security Plugins**: Recommended using security plugins for additional protection.
- Demonstration by Ethical Hacker Ryan Dewhurst
- Ryan attempted to hack into a WordPress website without SolidWP protection using WP Scan.
- He identified vulnerabilities in outdated plugins and demonstrated how easy it is to exploit weak passwords.
- Ryan then tried to hack a site with SolidWP protection and failed due to enhanced security measures.
- SolidWP Security Features*
- Two-Factor Authentication (2FA): Adds an extra layer of security by requiring a token in addition to the password.
- Disabling the WordPress API: Prevents certain types of attacks.
- CAPTCHA: Prevents brute force attacks by requiring a CAPTCHA after a few failed login attempts.
- Blocking XML-RPC Interface: Prevents attacks through this API.
- Benefits of Using Security Plugins:
- Prevents password brute forcing.
- Implements firewalls to block malicious attacks.
- Adds overall hardening to WordPress security.
- Why do people hack websites:
- Crypto Mining: Hackers install miners to use server resources for cryptocurrency.
- Competitor Sabotage: Less common, but involves hacking competitors.
- Fame: Hackers gain recognition within their communities for notable hacks.
Пікірлер: 42
Who in their right mind uses 3 letters for a password? BOB. LOL!. I've got a password breaker and it takes over 24 hours to scan properly, and it still couldn't get my password.
@jamiewp
Ай бұрын
😬 You'd be amazed - i chatted to Ryan for over an hour and some of the stories 🙃
@naho534
Ай бұрын
can you pass me your password cracker?
@1GiPhoner
7 күн бұрын
His method is not using a password breaker. Its cross checking with a list of other know weak passwords. Totally different concepts.
There are various steps that can be taken with .htaccess as well. You can even protect the .htaccess file itself.
@jamiewp
Ай бұрын
Great points 👍
@murasakistudio
Ай бұрын
@@jamiewp There is a WP expert I know from Belgium called Brecht Ryckaert. He works with one of the big web hosting providers in a senior role and has written a lot about WP security. He even runs a website that helps to recover hacked WP sites I believe. He wrote an eBook for Blocs on .htaccess, which I purchased and picked up some good tips from him regarding website security. There is a section in the book dedicated to WP and he wrote another book focussed entirely on WP security. It's an important topic and a few small steps can sometimes save a lot of stress.
@ShellCode-oo2cu
Ай бұрын
The .htaccess file is protected by the web server by default. The default configuration of the Apache web server is Require all denied This protects access to all files with a dot (hide) in front from external access.
This is a well put together and informative video. Thank you. I'm glad you popped up in my suggestions. I have liked and subscribed.
@jamiewp
Ай бұрын
Thanks Jaden - good to have you onboard :)
Great video. But from what I hear from other WP security experts: there is more to securing a website that just using a security plugin. In short, they suggest security should be done in layers starting from the server layer down to the application layer. But yea, I get it. For beginners using a strong password and a security plugin should work 90% of the time.
@jamiewp
10 күн бұрын
Great points
Great content, Jamie. You are always bringing your A-game.
@jamiewp
Ай бұрын
Thanks Adam 🙏
Amazing video 🙌 congrats!
@jamiewp
Ай бұрын
thanks, this one was lots of fun to make and it was really great to meet Ryan :)
The WordPress automatic updates of plugins and themes are surprisingly robust. I highly recommend it. But you have to enable it. And yes, in some rare situations, an automated update might break functionality until a fix is released. But it's much easier to clean up after a broken update, than a successful hack.
@jamiewp
Ай бұрын
That's a great point 👍 Also tools like the new WordPress.com update scheduler will help wordpress.com/blog/2024/05/20/scheduled-plugin-updates/
Another great video.
@jamiewp
Ай бұрын
Cheers Stu
Welp...a little nerve wracking, but very informative, good to know info. TY, Jamie and Ryan.
@jamiewp
23 күн бұрын
Thank you 🙏
Yikes - great video and public service announcement!
@jamiewp
Ай бұрын
Yikes indeed!
I might of missed it, but might be a good video follow up about how to use that wpscan CLI to test your own or client site setups
@jamiewp
Ай бұрын
Great idea 👍
From many videos I've watched, hardening the server is the first thing one must do. Then add necessary security on WordPress.
@ManosXCount
Ай бұрын
If your Administration Password remains admin / bob -- Hardening Server will not do anything
It would be great if you could make a video on how to protect wordpress with .htaaces without plugin, with all the necessary codes. There is also code for the wp.config file. In addition, you can create a mu plugin or a custom plugin with codes such as smtp, google analytics, CPT and the like, in short, to reduce everything to code and have everything in one place without additional plugins. I would be happy to watch that video. Thank you.
@jamiewp
Ай бұрын
Interesting idea - thank you 🙏
Thanks Jamie. Just a few remarks: I gonna watch the clip again. From what I've seen the strategy is to find a password. There other methods as well, such as : (1) installing the hacker's own file for index.php/index.html in one of the landing directories. That could be countered by installing a dummy index.php and index.html in each directory (dummies wherever the files are NOT IN USE) and then making all of these files (including the functioning files) write-protected (read-only). (2) The site owner should change the username with admin rights to another name, to make it more difficult for the hacker to log in. I had been thinking about using a child theme with a name not obvious related to the parent theme. Would that be sufficient to hide the parent theme name, from hackers? Security is important for e-commerce websites or any website that displays payment information. I see people use QR-codes with payment information and that makes me think, how possible is it for the hacker to overwrite that with his own information? To check a QR-code takes quite some effort since you cannot just eye-ball them?
@ShellCode-oo2cu
Ай бұрын
If a hacker has managed to place an index.html or index.php on the web server, what should prevent him from naming the file phpshell.php? You cannot make the remaining files for Wordpress read-only, otherwise no update would work, whereby the files must be overwritten. Renaming the admin name is of no use, the user ID remains the same, it would make more sense to create a new admin account with which nothing is posted and to delete the old one, in addition you can assign a high user ID to the new admin user in the database.
He uses last pass?!
@MbonisiM
15 күн бұрын
Last pass back then was a bit vul.... I don't know.now
Hi Jamie. I'm concerned about your nice kitty getting too fat. Should I avoid liking? :)
@jamiewp
Ай бұрын
Nope, they are a bit skinny atm 😬 Please like
Nice try 'guessing' the user to hack
@jamiewp
10 күн бұрын
👍