How Cryptocurrency May Be Driving a New Wave of Attacks on WordPress Websites

Posted on January 19, 2018 by in General News | 11 comments

How Cryptocurrency May Be Driving a New Wave of Attacks on WordPress Websites

Let me start this off by saying that yes, WordPress is an incredibly secure platform. Simply by the nature of being open-source and having so many eyes on the code, vulnerabilities are fixed pretty quickly. The same goes for plugins and themes that may go awry.

That said, the surge in popularity–and monetary value–of various cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), and Monero (XMR) are bringing hackers and undesirables of all kinds out of the woodwork to try and get their grubby little hands all over your bits and bytes.

Generally speaking, you’re pretty good if you’re using WordFence, Sucuri, iThemes, or another trusted security plugin. These folks monitor everything people like you and me can’t even imagine, and they protect your site. However, one of the newest threats that’s arisen is for cryptocurrency miners to be maliciously installed on your WordPress sites to hijack your users’ computers.

Don’t fret, though. Let’s break this down and understand what’s going on and why.

Crypto What? And Why Should I Crypto-Care?

Forbes has a fantastic podcast rundown of what cryptocurrency is, and they explain it and blockchain to all us average people.

The short version is that it’s a very secure and tracked data system that can be used like money because of its built-in scarcity, top-end limits, and asset verification. Or, in other words, it’s money that you can’t counterfeit and will never, ever, ever exceed a set amount in the world (and we can prove it).

There are tons of different kinds of cryptocurrencies out there (there’s even a dogecoin), and as they’re adopted by more and more people, the value goes up (limited resources, after all).

And anytime something has value, bad people want to exploit that for their own gain. Hence, why you should care.

Where WordPress Comes In

You don’t earn cryptocurrency. You mine it. Without going into a ridiculous amount of detail, mining is using your computer to solve ridiculously complex math problems. Sometimes you get lucky and solve the problem. The answer is represented by a “coin” of whatever currency you’re digging for. Clear as mud, right?

Because of the processing power needed to get the coins, GPUs (graphics processors) are the most common hardware used to mine. But the currency Monero was designed from the ground up, according to WordFence, to be perfect for CPUs to mine. Everyone has a pretty good CPU these days–not so with GPUs.

In December 2017, WordFence noticed a huge uptick in attacks on WordPress sites. At first they didn’t know what was going on. Then…Monero happened.

Suddenly the reason for the frenzied brute-force attacks becomes very clear. At the beginning of this month, the price of Monero had barely broken $200. But its value has since skyrocketed, reaching $378 the day before the attacks started. Monero is designed so that it can be mined by regular CPUs, but that’s still not easy. Even for a hacker using compromised servers, the return on mining wasn’t that great – until recently.

But Why WordPress?

Like WordFence says in a post on the brute force attacks themselves,

Historically, brute force attacks targeting WordPress have not been very successful. This new database provides fresh credentials that, when matched with a WordPress username, may provide a higher success rate for attackers targeting sites that do not have any protection.

In other words, with the awe-inspiring rate at which new WP sites are created, the liklihood of them both being left unsecured (i.e. no WordFence, iThemes, or Sucuri) and having easily cracked login information is ridiculously high. I mean, every single one of us has used something like Softalicious to put up a dummy site with throwaway logins and subsequently forgotten it was there.

Related sidebar: Stop. Using. These. Passwords.

The cryptocurrency hackers are taking advantage of folks like us and using those WP installs to backdoor their way into shared hosting servers, multisite networks, and all the connected, legit installations. They then put their own illicit JavaScript-based miners onto those sites and hijack visitors’ computers and CPUs to mine, generally, Monero because it is built to be as untraceable as possible.

Like I said before, WordPress itself is a very secure platform (thanks in no small part to folks like WordFence and Sucuri who did all this research to help us), but it takes a little bit of action on our parts to make use of their hard work.

Where Do We Go From Here?

Well, the first thing is to change all your passwords and all your clients’ passwords. (I know, right?) That’s a pretty normal step, but it’s a pain.

Secondly, you’re going to want to make sure you have a good firewall and security plugin installed. Make sure you can see our own takes on WordFence and Sucuri to see some of what they offer.

Finally, you’re going to want to do a complete security audit of your website to make sure that if you have been compromised in some way, you can clean it all up.

These Kinds of Hacks are Not Going Anywhere

You should be aware, though, that with the popularity of cryptocurrencies, these kinds of hacks and compromises aren’t going anywhere. They’re here to stay, and we’re going to have to be vigilant.

Because of our involvement in as large of an online platform as WordPress is, we can’t deny that there’s a higher risk of being targeted. That’s just numbers. However, that risk is mitigated, like I said before, because of the outstanding community that we’re a part of.

Keep in mind that you should feel safe because you’re on WordPress, not threatened.

Riding the Crypto Wave

All that said, you should now be more aware of the place cryptocurrency (and the various cultures surrounding it) is establishing for itself. At this point, we have to accept it, whether we want to or not.

If you’re using the Coinhive method of advertising that Sucuri mentioned in their article (linked above and here, be aware of the risks. And if you didn’t know about Coinhive, make sure you check it out, too. It can be a legit way to earn–you just have to be careful.

And if you’re involved in any way with an ecommerce site, you should look into taking cryptocurrencies as payments. As much as this particular article was looking at the horror stories that cane come from abuses of the system, there is massive potential for buyers and sellers to get fantastic deals monetarily when used correctly.

Either way, stay safe out there, Divi Nation, and good luck down in the mines!

What are your thoughts on cryptocurrency and WordPress? Have you been affected by this new wave of attacks?

Article thumbnail by Thirap8l / shutterstock.com

11 Comments

  1. If you get a fully managed WordPress hosting company that has security properly handled at the server and router levels then you don’t even need WordFence, Sucuri and iThemes like offerings–as those kind of things are better handled elsewhere, by a professional and monitored 24/7 by competent staff.

    Regardless of at which level you have your firewall, brute force and anti-virus protections one still needs to:
    – only install trusted plugins and themes that are still getting updated by a reputable developer
    – keep the device you are logging in from free of malware
    – maintain regular offsite backups so that you can quickly recover if you are hacked
    – change your passwords often and keep admins to a minimum.

  2. Let’s get over one misconception right away … Like IMMEDIATELY. I’ve earned over $2k in STEEM (crypto) by blogging (randomly actually) on Steemit.com The industries rising up all around the distributed networks is MIND BOGGLING. I’m sure others will show up to expound on this. Buying crypto coins with fiat currency; Contracting to do freelance work; Selling physical objects and selling digital objects; and investing of all types are just a few, tip top of the iceberg ways to acquire crypto currencies. Mining is an option for some coins, not all coins.

    • Agreed, it’s not exactly a currency unless there are ways to earn it by working or selling things.

  3. So, are you saying WordPress is like Windows and everyone damn sure better have a security plugin?

    Is it like Linux and in general if you use secure logins and trusted plugins you should be fine?

    I’m hesitant to be piling on yet one more plugin unless it is clearly needed for a site.

    Are they needed because it is too easy crack WordPress, or are they needed because too many people are lazy or don’t understand password security?

  4. Until someone comes up with a method of computing cryptocurrency value AT THE MOMENT OF SALE, based on a fixed-price dollar (fiat) selling price for the item being sold, then because of their extreme volatility, I will not accept cryptocurrencies on my ecommerce website.

    I may be forced into it soon by customer demand, but for now, no.

  5. Can’t recommend Sucuri…no way, no how. Client got suckered into using it on a Magento site. Ever since, sales have dropped, legit traffic has dropped, Sucuri randomly blocks visitors for no apparent reason, and they take forever to respond to support tickets…when they can even be bothered. Latest BS: I’m blocked from reaching the site from my home IP address, yet it comes up right away on mobile, and for other visitors; Suckuri’s error page blames the hosting company (502 error). Uh, no. As usual they are clueless. Can’t help. Wouldn’t even recommend them to an enemy…

  6. how many times have you been to a media website and been bombarded with ads with fake “click here” buttons, and than get malware later on? These new cryptominers can be a breakthrough of an “alternative to advertising” and maybe help reduce the number of malware injections and viruses people get at a small cost of energy

  7. Good to stay up on this issue. Although I think the more serious vector that WP Admins need to be aware of is compromised plugins that started off as legit, but were then purchased and repurposed to inject the mining scripts that way. WordFence has been great at illuminating that aspect of the problem. With so many solopreneurs and ma-and-pa shops using WordPress for years now, who of them tracks the ownership/developers of the plugins they’ve installed through time? The trick is that they think they are doing a good thing by updating their plugins…

  8. I’m with Jim on this, Do I need a security plugin for wordpress even if using SSL?

    Amazing article and great tips, thank you so much!

  9. Thanks for sharing the info.

  10. I dont think so

500,591 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest