Essentially, any malicious action which leaves the attacker with full control of the target website can be deemed to fall under the header “Hack Attack.”
And while hacking for negative SEO purposes is still a relatively uncommon practice, the number of instances of this vector has increased noticeably during the past couple of years.
Breakdown of a Negative SEO Hack Attack
Step 1: Obtain Access to and Control over the Target Website
One thing which needs to be made clear from the outset, is that the overwhelming majority of NSEO hack attacks are carried out against WordPress sites, for two highly defined reasons:
- It’s the most common Content Management System (CMS) by far
As of this article’s writing, WordPress powers almost 45% of ALL websites on the Internet, and holds a 63%+ market-share of ALL websites with a known CMS.
- Its native security is frankly laughable
In fact, WordPress has been widely described as the “CMS with a ‘Kick Me’ sign pinned to its back.”
WordPress security is so neglected, that even more than two decades after its initial release to the world, WP has no inbuilt brute force protection. And things just go downhill from there, with database and plugin vulnerabilities constantly plaguing the CMS.
These two factors alone make WordPress the web’s most attacked and most commonly breached platform, with such a wide array of successful attack vectors, it would be pointless to try and list them within the scope of this article.
So let’s move on to:
Step 2: Ruining Your Competitor’s SEO/Online Business
Once an attacker has gained control over a WordPress installation, they have Carte Blanche over the entire website.
At this stage, malicious actions can range from making simple and obvious changes, such as changing contact phone numbers, redirecting contact forms, and changing purchase links in the shopping cart, to more sneaky sabotage.
At that level, the attacker can include terms which trigger Google’s “Safe Search” filters on high-performance pages, or stock the site with endless pages of spam content in the hope of triggering a Manual Action. We’ve also seen quite a few instances of attackers injecting malware into the installation, which then causes Google to de-rank and/or attach a security warning to the site when it’s shown in the SERPs.
This, of course, results in a massive reduction of click-through rates.
In very rare cases, this negative SEO attack vector is combined with a Canonical/Impersonation Attack, where the attacker creates an external domain with similar or identical branding and content to the target website, and canonicalizes high-performance or link-rich URLs to his/her impersonation site.
When carried out properly, this type of attack often goes undetected and undiagnosed for prolonged periods of time, and can cause severe damage to organic rankings and revenues for the target website.
How to Defend Your WordPress Website Against a Hack Attack
Unlike most other negative SEO attack vectors, there are some highly defined steps you can take in order to harden your WordPress installation against hacking breaches and other vulnerabilities.
- Stay away from obvious usernames
A large percentage of brute force attacks can be thwarted by simply avoiding common usernames, such as Admin, Administrator, Author, Editor, etc.
- Enforce strong passwords for ALL admin users
Similarly, the use of strong passwords will make life difficult for would-be brute force attackers.
And, contrary to popular opinion, these passwords need not consist of twenty random characters, which you’ll never remember. Technically speaking, four random words strung together, like so: “CheeseGrenadeRosebudGoat” will provide near perfect brute force protection, while maintaining a password you’ll actually be able to remember.
- Keep ALL themes and plugins up-to-date
This step will greatly reduce the risk of vulnerabilities and exploits giving bad actors additional attack vectors against your website, by simply doing what you’re supposed to be doing in the first place, which is to stay on top of your site’s housekeeping.
- Use a security plugin to harden your WordPress installation
This is an essential step if you’re at all serious about your website. After all, if you’re not willing to spend fifty bucks a year on keeping your online business safe, how committed to its success are you, in real terms?
Running a decent security plugin, like Really Simple Security or Wordfence, in addition to the steps above, will minimize the overall risks of your WordPress installation falling prey to malicious intrusions, whether they be for negative SEO, or for other unethical/illegal purposes.
As of the time of writing (2024/10/09) the overall threat level of a WordPress hack being used for negative SEO purposes is still relatively small. However, as with many other NSEO attack vectors, the number of instances has been steadily increasing over the past couple of years, as the economic climate has worsened and unethical competitors have started taking underhanded actions against their more successful rivals.
Here, as elsewhere, prevention is better than cure, so it’s best to shore up your websites security now, rather than face massive drops in visitor numbers and revenue later, along with a lengthy and expensive cleanup operation.
Contact ArcLite today, to see how we can help you harden your WordPress site against hackers and other malicious actors.