There are always vulnerabilities on WordPress since it is an open source website creation tool. When security vulnerabilities are located on the latest version of WordPress, their team responds to it and fixes the hole in security. Hackers can get into these holes to steal content (usually customer data), but they can also add stuff. In my book, Blogging is Murder, Connie Payne adds content to Liz’s site, but usually when a hacker adds something its malware (like in this Wordfence article), code that creates problems with the site or random keywords that impact the SEO of the site.
In the article, the hackers would have been able to get in by connecting their URL through the auto-update function. This is because WP doesn’t require signature verification when updates are installed.
In Blogging is Murder, Connie starts out as a typical fan of the site, lulling Liz into a false sense of security. Liz has her blog comment feature set up to allow all comments to show up on her blog without monitoring from her. Once Connie starts posting weird stuff, she changes that feature so that all comments must be approved by her first. But after that, Connie ups the ante and finds a vulnerability in Liz’s site via WP and is able to get in and create her own admin privileges in the backend of the blog. She now has her own login and password and can edit, add or subtract any content from the blog. Which she does. She actually writes post on the blog under Liz’s name, so it looks like Liz is writing the posts, undermining Liz’s reputation. Her overarching goal is to replace Liz altogether—she plans on pushing Liz out of her home, family and business because Connie believes she can do a better job of being wife, mother and solopreneur than Liz can.
Like most bloggers, Liz doesn’t pay careful enough attention to what themes and plugins need updated on her blog. She’s too busy trying to run her business. But old, “unpatched” themes and plugins are the perfect way for hackers to get inside of a blog/website. They create a hole for the hackers to come through. Often when a theme or plugin company (including WP) sends out an update, it’s because they have been made aware of the possible threat, so they fix the issue. But if a blogger doesn’t update it immediately, hackers can get right in.
In the case discussed in the article, the WP host, api.wordpress.org, was at fault. It could have opened up thousands of sites to hackers, not just a few. But hackers are always looking for these opportunities. So. although Liz “invited” the hacker in because she wasn’t cyber security-conscience enough, it could have easily have been something like this that allowed Connie access to the site so that she could hijack it.
Discover the truth about WordPress vulnerabilities and cyber-security in the action-packed cozy mystery, Blogging Is Murder: A Jade Blzackwell Mystery by Gilian Baker, currently available for pre-order on Amazon here.