Imagine finding out that someone was spying on all of your communications – your phone calls, text messages, emails, even your in-person conversations. And on top of that, the person was posing as you or the other person – or even both. That’s what happens in a MITM attack. The attacker not just watches what’s happening, but they can act as one or both parties – unbeknownst to the other one – to manipulate the communication. In this article, we’ll explain what a MITM attack is, how they work and what you can do to prevent one from infecting your WordPress site.
What Is a MITM Attack?
MITM attacks are more common than you may think. This type of cybersecurity attack eavesdrops on communication occurring between two targets, like your browser and a site you’re visiting. And more than that, a MITM attack can hijack the conversation so that one or both targets get misinformation. The attacker can disguise themselves as one or both of the targets so that neither one realizes they’re communicating with the attacker. The information can then be altered before it’s delivered.
How Does a MITM Attack Work?
There are several types of common MITM attacks. In all of them, though, there are two main steps: intercepting the communication and then decrypting the information.
A rogue access point attack, for example, can happen when a wireless card-equipped device tries to connect to an access point. The attacker can set up a wireless access point and trick the device to connect to it. Then, all of the network traffic can be seen and manipulated by the attacker.
Another example is the ARP spoofing attack. ARP stands for Address Resolution Protocol, and it’s basically used so that a host can determine if another host it’s talking to has a known IP address. With ARP spoofing, the attacker poses as a host and responds to IP verification requests. The attacker can then spy on the traffic between the two hosts and extract information that gives them access to accounts.
There are a number of techniques used in MITM attacks:
- Sniffing: Packet-capture tools are used to inspect packets, giving the attacker access to information they shouldn’t be allowed to see.
- Packet Injection: Malicious packets can be injected into communication streams, blending in so they’re not noticeable. Usually, sniffing is a precursor to this.
- Session Hijacking: When a user logs in to a web application, a temporary session token is generated so that the username and password aren’t required every time the user goes to a different page. With session hijacking, the attacker identifies that session token and acts as the user. This is also known as cookie hijacking.
- SSL Stripping: Packets are intercepted and altered so that the host has to send unencrypted requests to the server, which means that sensitive information is no longer encrypted.
Detecting these types of attacks is tricky. You have to already be searching for an interception; otherwise, a MITM attack can go undetected. Luckily, you can take steps to detect an attack before it occurs instead of waiting to try to catch one in action.
How To Prevent a MITM Attack
Here are the best practices you should follow to prevent a MITM attack:
Change the Router Login Credentials
You should never keep the default login credentials for your router. If an attacker is able to find them, which is easier if you’re still using the defaults, they can change your servers to theirs. They could also put malicious software in your router.
Enforce HTTPS
HTTPS is needed in order to securely communicate, and it means that the attacker won’t be able to use the data he’s sniffing. Websites shouldn’t offer HTTP alternatives; they should only use HTTPS. Also, users can get a browser plugin that will always enforce HTTPS.
Set Up Strong Encryption
Wireless access points need strong encryption if you’re going to keep nearby unwanted users from joining your network. When your encryption is weak, an attacker can use a brute-force attack to get into your network and launch a MITM attack.
Use a VPN
Virtual private networks (VPNs) create a secure online environment, which is important if you have sensitive information stored. VPNs use key-based encryption to create a space for safe communication. Even if the attacker can get onto a shared network, they won’t be able to understand the VPN traffic.
What WordPress Users Need To Know
When a user logs in to WordPress, the username and password are submitted in an HTTP request – which is not encrypted. That’s why it’s so important to use HTTPS to prevent an attacker from eavesdropping on the communication. Luckily, it’s a cinch to get that set up using a plugin – there are several in the WordPress plugin directory that will set up your site to run over HTTPS.
When it comes to WordPress, the biggest concern is that a MITM attack will lead to a WordPress hack. HTTPS is important because it keeps attackers from seeing your username and password in plain text. HTTPS will also help protect your WordPress site against other common threats, which include ARP spoofing and stealing authentication cookies.
In addition to using HTTPS, WordPress hardening best practices will work to keep your website safe. These include:
- Activity log
- Firewall
- Limiting failed login attempts
- Strong passwords
- Two-factor authentication
It’s also useful to know the types of websites that fall victim to MITM attacks the most. Sites where logging in is required are the most prone to MITM attacks because the goal of the attacker is usually to steal credentials, account numbers, credit card numbers and the like. If you have a WordPress website where users have to log in – like for a membership site or to access a saved shopping cart – you have to be especially aware of MIMT attacks.
MITM Attack Frequently Asked Questions
What causes a Man in the Middle attack?
A MITM attack can occur when two parties are having an unsecured interaction. That could be two people who are talking via a messaging system online or a transfer of data between two hosts.
What are the signs of a Man in the Middle attack?
There are a few telltale signs that you are, or could be, in the vicinity of a Man in the Middle attack – or even a victim yourself:
- Open, public WiFi networks.
- Suspicious WiFi network names.
- Evil-twin WiFi networks that aim to trick the user. For example, StarbucksJoin and StarbucksWiFi. If you see both, one could be fake.
What is a passive man in the middle attack?
A passive MITM attack is when the attacker is eavesdropping on communication between two parties but isn’t taking any action to manipulate the data.
Wrapping Up
Knowing you’ve been the victim of a MITM attack, whether you were checking your email at a café or you’re the owner of a website that was hacked, is scary. Thinking of anyone spying on you or your online activity is just plain creepy. And when it comes to sensitive information – your own or that of your customers, subscribers, etc. – it can be a serious detriment to your personal and professional life as well. Getting HTTPS set up on your WordPress website is your absolute next necessary step. From there, work to harden your website as much as possible. You can never be too safe.
While you’re at it, check out our article about how to conduct a WordPress security audit.
This article’s so informative and exciting! Thanks Lindsay!