Phishing in WordPress: how to prevent them from stealing your access with Unfiltered HTML
Share
WordPress is one of the most widely used platforms for the creation of websites and blogs, but its great popularity also makes it an attractive target for cybercriminals.
Among the most common attack techniques is phishing through the “Unfiltered HTML” functionality. This type of attackallows cybercriminals to inject malicious code into web pages, compromising the security of users and administrators. Attackers can trick victims into entering their credentials on a fake page, gaining full access to their WordPress profile.
In this article, we will explainhow this type of cyber-attack works, how you can protect yourself, and how Latch, the authorisation control platform from TU, can help you strengthen the security of your website.
What is phishing with Unfiltered HTML?
“Unfiltered HTML” is a feature in WordPress that allows users with certain privileges to insert HTML code without restrictions. While this option is useful for administrators and developers, it also represents a great risk if exploited by cybercriminals.
Attackers can exploit this vulnerability to inject malicious code into posts or pages, allowing them to manipulate content without users noticing.
They can also create fake login forms designed to steal credentials, redirect victims to phishing sites and even insert hidden scripts that record keystrokes, known as keyloggers. Because the affected pages may appear to be completely legitimate, this type of attack often goes unnoticed, increasing the risk to users.
Tips on how to protect your WordPress website from cyber-attacks such as phishing
To prevent attackers from exploiting the “Unfiltered HTML” functionality, here are some tips on how to protect your WordPress website effectively, ensuring the integrity of your site and protecting your users from potential attacks:
- Restrict the use of “Unfiltered HTML”: If it is not strictly necessary, disable this functionality to reduce risks. You can do this by limiting user permissions and using security plugins that block unauthorised HTML code.
- Use security plugins: There are several tools designed to protect your WordPress against attacks such as Wordfence Security or IThemes Security. These plugins can detect and block malicious code injection attempts.
Implement two-factor authentication (2FA): Using a second layer of authentication makes it difficult for attackers to access your WordPress even if they obtain your credentials. And this is when Latch becomes a key ally.
How TU Latch strengthens the security of your WordPress website
Latch is an authorisation control platform developed by TU, the innovation and technology brand from Telefónica Innovación Digital. This tool provides an additional layer of security to protect the digital services of companies and users against various threats, integrating easily into environments such as WordPress.
By setting up Latch, users gain full control over who can access their site. Even if a cybercriminal manages to obtain the credentials, he or she will not be able to log in without the user’s explicit authorisation, which adds a crucial layer of protection against phishing attacks and other intrusion attempts.
Latch’s flexibility allows it to be integrated into multiple sectors, from fintech to education, e-commerce, healthcare or legal services. Its intuitive design makes it easy to use, making it an ideal solution for organisations looking to protect their critical systems without additional technical complications.
Implementing Latch in WordPress not only enhances security, but also provides users with an easy way to manage your access and authorisations. This is especially valuable in an environment where security is paramount to prevent common attacks on content management platforms.
In addition, Latch enables a Defence in Depth approach with its WordPress in Paranoid Mode tool, which adds several layers of protection:
- At user level: Implements two-factor authentication (2FA) using the Latch plugin for WordPress, enforcing the login process.
- At SSH connection level: Secures access to the Linux server where WordPress is hosted by integrating Latch into the SSH connection.
- In the WordPress tables: Enforces database integrity by setting triggers on key SQL operations such as insert, update and delete.
- WordPress protected with Latch: It ensures user identity protection, administrative access and information security through its paranoid mode.
Find out how Latch can strengthen the security of your WordPress accounts with our Professional Plan available for companies and developers, try it now for free.
Graduada en Marketing y una especialización en herramientas digitales. Disfruto muchísimo de la música en directo y de la incertidumbre ante nuevas experiencias y etapas. A día de hoy, trabajo en el departamento de Product Marketing de CDO Telefónica.
