What is privilege escalation?
Privilege escalation is a process through which an unauthorized user gains access to resources restricted to a specific group of people, such as data that is restricted to users with specific WordPress user roles. In privilege escalation, an attacker first gains access to a low-level account before escalation privileges to get access to an administrator-level account, which allows for a wider range of resource access.
How does privilege escalation work?
Privilege escalation works laterally or horizontally. Either way, the attacker must first exploit a vulnerability or a misconfiguration that allows them initial access. Once initial access is established, the attacker will look to escalate privileges so that they can increase the attack vectors or access restricted data and information. At the very top sits root access which gives the attacker complete control over the system or systems the root account presides over.
Privilege escalation works because lower-tier accounts may not be as protected as upper-tier accounts, making them easier targets. If the principle of least privilege is not implemented, the attacker may not need to seek privilege escalation since the account may provide them with the privileges they need to carry out the intended attack.
In a WordPress environment, the acquisition of the initial access may be at the WordPress, webserver, or Operating System level. Once initial access is acquired, the attacker will try to gain further privileges that grant access to more resources.
Why are privilege escalations dangerous?
Privilege escalation is dangerous as it ultimately can lead to full access to the systems being attacked. Once full access is achieved, the attacker can initiate further attacks including infiltrating other systems and stealing data.
How privilege escalations target WordPress websites
In most cases, an attacker carries out a privilege escalation attack by gaining access to a basic user account, for example a user with subscriber user role. Since such accounts are typically not as protected as higher-level accounts, attackers may find it easier to gain access.
Once this has been completed, the attacker will look for ways to escalate their privileges and gain access to a user with admin user role. While this can be achieved in different ways, vulnerabilities in plugins and WordPress itself are one possible root the attackers may take.
To illustrate this with an example, an attacker looking to attack through privilege escalation might first look to take over a less-secure account. On a WooCommerce website, for example, this would be a customer account. Unlike the administrator and team, who might have solid passwords and use two-factor authentication (2FA), customer accounts typically have less stringent password policies – making them a prime target.
Note: refer to how to use WordPress user roles for more information on what user roles are on WordPress and the different privileges you can assign to different users to improve the security of your WordPress website.
From there on the attacker will attempt to escalate privileges by hacking accounts up the hierarchy, giving them access to more sensitive information and resources.
How to protect your website from privilege escalations
There are a number of preventive steps that you can take to reduce the risk of an attack that leads to privilege escalation. These include:
Educate users – Most users do not think about online security as much as you do but this does not mean it’s not important to them. Explaining the importance of cyber hygiene can go a long way in helping you ensure users take the necessary measures to ensure their accounts are safe.
Strong password policies – A strong WordPress password policy can make it way more difficult for an attacker to gain access. While we must acknowledge that a balance between security and ease of access is important, many websites have started to institute such policies, eliminating user frustration.
Add two-factor authentication – 2FA on WordPress websites has been proven to eliminate most threats by requiring users to present an additional authentication method before logging in. As such, an attacker would not only need the user’s password but also their phone – something they’re unlikely to get a hold of.
Harden WordPress – Secure and harden your WordPress website to ensure you’re as protected as possible from different types of attacks, including those that may lead to privilege escalation. WordPress security hardening takes a 360-degree approach to WordPress security, ensuring no unnecessary risks leave you exposed.