…oh wait, it already is.
<sarcasm>As hysterically funny as that is</sarcasm>, I’m referring to the massive WordPress attack which is not hysterically funny.
When I warn clients to not use “admin” as a user name and “password” as their password, I’m sometimes looked at with big eyes and a cocked head. “Why would anyone want to hack my site?” Not being a hacker or a criminal, I can only speculate at the details, but for many people who are online at all, it’s not a question of IF your online presence or your email account, or your credit card or your very identity will be compromised by a hacker – it’s WHEN.
Hackers do it for a variety of reasons. Some do it just to see if they can or how deeply into a system they can get. There is this non-malicious side to it that is akin, in my mind at least, to the motivations of people who free climb, or decide to risk losing extremities and death to scale Everest. It’s the quest for accomplishment. Yes, there are risks, but I want to see if I can do it and how well I can do it.
And it’s also about disobeying the rules. In this case, the subject of hacking would be quite at home in a scholarly paper about duty and civil disobedience. I think most people, when pressed, can understand the latter — and the accomplishment of a goal, but most of us are probably satisfied at the giddy we get when we manage to make the perfect soufflé.
The maliciousness of hacking is without a doubt what most people assume is the norm. It can be personal – a targeted attack on a business or individual, but it is more likely that you’ll be a random inclusion along with hundreds, even thousands of others, and more likely than not, the culprit of the attack will be an automated, relentless bot.
The massive attack to which I’m referring, in a simplified nutshell, is a recent campaign of 90,000 servers to gain control of WordPress admin accounts as a method to bring down the internet — or at least a corner of it. This would be, it’s fair to say, an accomplishment. Not necessarily an accomplishment you call your mom about, but an accomplishment, nonetheless. This is a DDoS attack (distributed denial of service) which is, put simply, an effort to ruin the day of as many people as possible.
It should be understood that it is not WordPress itself that is vulnerable though even the most remote vulnerabilities can be exploited. Admin accounts in almost any interface are vulnerable primarily because the user does not take control of their own site:
- Perhaps they set up a WordPress site 2 years ago and it’s tragically in need of an update. It should be – but isn’t necessarily – common knowledge that writing in your blog does not keep the underlying code maintained.
- Perhaps their user name is “admin”
- Perhaps their password is the ever popular “password” or “12345”
If you are guilty of, particularly these last two items, you are making it easy to be compromised. And if you are on a shared server, as most people are, you are going to share the consequences of those attacks with everyone else sharing your space.
Advice? Be vigilant and responsible for your own actions. You shouldn’t have to know which way the gears turn or why something works the way it does, but unfortunately, there are people out there who do know. So, if you know just that much… If you can say “Why wouldn’t anyone want to hack my site?” then you are ahead of the game.