304 North Cardinal St.
Dorchester Center, MA 02124
304 North Cardinal St.
Dorchester Center, MA 02124
What is a password breach? What steps should you take to keep one from happening on your WordPress website?
Ever since the inception of the Internet and website login forms, we’ve all been taught to use secure, unbreakable passwords to guard our online privacy. But as a WordPress site owner, it’s even more important than ever. Due to constant cybersecurity threats, you need to take steps to avoid password breaches that could lead to a hacker taking over your website.
In this guide, we’ll dive into the risk of password breaches and how they’re used to take complete control over your WordPress site. We’ll also show you exactly what you need to do to defend your site against a password breach. Let’s take a look.
In a nutshell, a password breach is when someone has access to your password without your permission. Password breaches often happen on a large scale, as large sets of username and password combinations are compromised. Password breaches often result in leaks and database dumps. These database dumps are disclosed on the dark web or even sold.
Password breaches are a huge problem for a number of reasons. The first, obviously, is that a hacker can gain access to your online accounts. Once your password is included in a data breach, your online security is greatly diminished.
Even worse, if you’re reusing a password for multiple accounts, all of those accounts are then compromised. In a recent Verizon Data Breach Investigations Report, more than 70% of employees reuse passwords at their workplaces. But the most important stat from the Verizon report is that 81% of hacking-related breaches leveraged either stolen or weak passwords.
When it comes to password breaches, it’s important to understand MITM, or Man-In-the-Middle, attacks. Man in the Middle attacks are a general term for any cyber attack where hackers position themselves in an intermediary position between the sender and receiver of information or data.
An example of this would be for a hacker to be between a user’s web browser and the website they’re currently visiting. By positioning themselves in the middle, it allows attackers to eavesdrop and, in a lot of cases, modify the targeted content as it’s sent and received between the two different locations.
When a hacker is able to capture the login credentials of a site user, they can sometimes use that information to gain privileged access to your WordPress site. And if they are able to capture your site’s administrator credentials, they’ll be able to do anything to your site that they please, including redirecting it to a completely different location.
Hackers use many techniques for stealing your passwords, including phishing, stealing your authentication cookies, and watching for non-secure or non-encrypted connections.
To fully understand how a password breach happens and how credentials can be stolen, you’ll need to first look at a non-secure HTTP request that contains credentials submitted using a browser’s built-in developer tools.
Keep in mind that this is not a Man-In-the-Middle attack, but is nonetheless a password breach. And this information will help to illustrate what you’ll need to look for a bit later in this process.
Now, we need to take a look at what a hacker sees when they inspect HTTP traffic that isn’t encrypted. For this example, we’re using a tool called Wireshare. This is a popular and free network analysis tool that anybody can use. A malicious user, who is on the same WiFi network that you’re on, could use such a tool to obtain sensitive information that isn’t encrypted through HTTPS.
Beyond simply stealing your login credentials and passwords, a knowledgeable hacker is also able to steal your authentication cookie and use it to fully impersonate you on your website.
It’s important to understand that HTTP is what’s known as a stateless protocol. In other words, in HTTP, the server doesn’t attach any individual meaning to requests that arrive over the identical TCP socket.
What this means is that, unless you want to type in your full password every single time you request a page on the site, the browser needs to store a temporary token that follows you as you browse the site.
This token is referred to as a session token. And the browser automatically sends this token with every single request you make on the website. Fortunately, web browsers have a mechanism that’s built-in for this exact function. And the mechanism is cookies.
This is why, when you delete all of the cookies stored in your browser, you’ll get logged out of all of the websites you were previously logged into.
This informs us that hackers and malicious attackers don’t even need to know your password to pull off a password breach and impersonate you. All they need to do is get their hands on your session token, and they can log right into your site.
As in our previous example of a WordPress password breach, you’ll see that the same identical information is now accessible to an attacker that’s using Wireshark.
Then, using a completely free browser extension like Cookie-Editor, the hacker will be able to easily use the value of the cookie they stole in their web browser and begin navigating around in your WordPress admin dashboard as you. And nothing good is going to come of that for yourself or your website.
Keep in mind that some types of password breach attacks are extremely low-effort for a skilled hacker to pull off. And this is especially true on poorly secured or public networks, such as public WiFi locations.
Fortunately, keeping your WordPress site protected from password breaches is extremely straightforward. And it’s something that every responsible WordPress website owner needs to focus on doing right away in order to avoid an attack that could ruin your entire website.
First and foremost, make sure you enable and enforce HTTPS on any and all WordPress sites that you manage. This is an absolute requirement for any type of WordPress site, whether small or large – even if your users aren’t given permission to log in to the site.
Simply stated, HTTPS encrypts all of the traffic between browsers and your site server. If an attacker attempts to read the contents of traffic encrypted with HTTPS, they’ll only end up seeing garbled, meaningless encrypted text.
And your passwords will be safe.
Of course, you’ll need to have an SSL security certificate to be able to enforce HTTPS on your site. Today, many WordPress hosts offer free SSL certificates, which makes it a no-brainer.
Similar to all other website applications that contain login forms, the WordPress content management system submits usernames and passwords within an HTTP request when you or another user logs in. And, as you probably know, HTTP isn’t an encrypted protocol.
This means that if you’re not running your site securely using HTTPS, all communication between your users and your web server is open to eavesdropping from hackers and malicious attackers.
Hackers are then able to easily intercept, then modify, your WordPress site’s cleartext HTTP (unencrypted) traffic. And of course, the most valuable piece of information a hacker will look for is the login credentials of the site administrator, including your password. That’s why it’s so important to always use HTTPS for your WordPress site. Here’s a quick guide on what HTTP vs HTTPS means.
If you have a WordPress website, one of your best lines of defense is the iThemes Security Pro plugin. iThemes Security is a powerful WordPress security plugin with features designed to secure user accounts and harden WordPress.
For example, the Password Requirements feature in iThemes Security Pro is not only your password policy but also your password enforcement tool.
Using the Password Requirement feature, you’ll be able to easily force members of any WordPress user group within your dashboard to:
The iThemes Security Pro Password Requirements feature will work to secure your WordPress login credentials against the password breach attacks we’ve just discussed in this guide, and a lot more.
In fact, it’s a full WordPress security suite that no WordPress site owner should be without if securing your site against all kinds of malicious attacks is important to you.
Plus, it gives you the ability to enforce your password policy with a simple click of a button. The truth is that most people prefer to take the path of least resistance. By removing the option to use weak or compromised passwords, you’re helping yourself and everyone that uses your site to fully protect their accounts from the damage of a password breach.
While there’s no question that you need to immediately enable HTTPS on your WordPress site, then install a security suite to protect it from password breach attacks, there are also some additional measures you’ll want to take that relate to WordPress security and hardening:
A successful password breach is one of the most devastating things that can happen to a WordPress site owner. And even the biggest websites in the world aren’t immune to their dangers.
After studying this guide, however, you now have the tools to employ on your site that will help keep you away from this devastating blow.
And with the help of the right tools, as discussed herein, you’ll be well on your way to running a more secure WordPress site.