WHY DO HACKERS TARGET WEBSITES?
We’ve all read the headlines about data breaches at high-profile businesses such as Equifax, Home Depot and Yahoo. It’s easy to understand why hackers target large corporations that have massive quantities of customer credit cards and other valuable data.
So why would a hacker target a small website that doesn’t have credit cards or other financial details? Unfortunately, there are a few common reasons:
Bragging rights. Some hackers are just playing a high-stakes computer game—they enjoy the adrenaline rush and the feeling of power. It’s a game within their circle of hacker friends, and they like winning. These hackers often just delete or deface your website, like this.
- Steal traffic. Sometimes hackers install hidden scripts on your website that redirect visitors to one of their own sites. They’ll often set up sophisticated rules that make it hard for you to detect or locate the malware. They then use your traffic to make themselves money.
- SEO spam. A hacker can use your website to publish spam content, for example, about prescription drugs. While this helps their SEO, it can completely ruin your SEO or even get your website banned from Google.
- Email spam. Over 100 billion spam emails are sent every day, primarily from thousands of hacked websites. If your website becomes one of them, your domain name can get blacklisted and your legitimate emails will no longer be delivered. Trust me, it’s tough to operate when nobody gets your emails!
SHOULD MY BLOG USE SSL/HTTPS?
Your site should have an SSL (Secure Sockets Layer) certificate to enable https secured connections on all URLs.
In fact, Google has been leading a global initiative to encourage the entire internet to switch to https:
- Since 2014, Google has been rewarding sites that use https by ranking them higher in search results. It’s a small boost, but every little bit can help.
- In July 2018, the stakes will be raised even higher—its Chrome browser will start labeling all http websites with a “Not Secure” warning.
Using https also offers protection against certain hacking methods, and is the first step in protecting your users’ privacy.
HOW DO HACKERS ACCESS MY WEBSITE?
If you’re like most people, hacking seems like some type of black magic. How does a hacker modify my website and upload files without me giving them my admin username and password? We’ve all seen Hollywood movies where hackers type some green text into a black screen, and voila—they’ve gained access to a system. (If you want a laugh, check out this parody of how Hollywood portrays hackers.)
There are actually hundreds of ways hackers can gain access to websites. If you want to do a deep dive, there’s an industry-standard database called the Common Weakness Enumeration (CWE) that lists 714 different ways bad actors can compromise websites.
Once you have a basic understanding of how hackers access websites, the tactics you can use to protect against them will start to make more sense.
Let’s look at a few of the hackers’ most common tactics so you’ll have a general idea of how they go about their nefarious business.
STEAL YOUR LOGIN DETAILS
Sometimes hackers just “go direct” and steal your username and password so they can log in to your website just like you do. There’s a variety of ways they can get your admin credentials:
- Install a trojan on your personal computer to steal your username and password.
- Hack a WiFi router to intercept usernames and passwords from anyone who logs on via that network. Tip: If your website uses https, you’re less vulnerable to this kind of “man-in-the-middle” attack.
- Use automated software that guesses passwords until it finds the right one. With this type of “dictionary attack” or “brute force attack,” how long do you think it takes to crack your Password123?
Here’s a quick demo of a brute force attack:
FIND VULNERABLE COMPONENTS
When attacking a website built with a well-known blogging platforms such as WordPress, Joomla, Shopify, Magenta etc hackers commonly look for weaknesses in plugins, themes and other components installed on the website. The WP Scan vulnerability database lists over 10,000 different vulnerabilities found in WordPress and associated components, the overwhelming majority of which have been patched. I recently ran an analysis of the top 10,000 websites in the US and found that 49% of the sites were using an outdated version of the core build software.
UPLOAD A BACKDOOR
Many websites allow users to upload files such as profile pictures or message attachments. If the file upload form isn’t properly protected, hackers can upload a malicious script—sometimes called a backdoor—that will run on your website and give them access to do basically anything they want.
Skilled hackers can gain unauthorised access by sending code to your website that tricks it into displaying confidential information from your database, such as your password. This is called injection or SQL injection.
This 56-second demo video shows how SQL injection can be used to trick a website into giving admin-level rights to an unauthorised user:
Hackers use these and hundreds of other tactics to compromise thousands of websites every day. As website owners, we’re in a never-ending race to stay ahead of these malicious attackers.
HOW CAN I PROTECT MY SITE FROM HACKERS?
Prevention is the best cure when it comes to website security. It’s easier and cheaper to prevent a hack than it is to find, fix and recover from one.
Here are a few tactics business owners can use to reduce the likelihood that hackers will successfully breach your website:
- Keep your website software up to date. This easy step can greatly enhance your security. Turn on automatic updates for your website software, themes, plugins and other components. This reduces the amount of time your website might be vulnerable. If automatic updates are not possible, set up email alerts so you know immediately when updates are available. You should also check manually for updates every week just in case any slipped through the cracks.
- Use components that are being actively developed. Avoid using older software components (such as themes or plugins) that are not being actively maintained and updated. If a security issue arises and the creator doesn’t release a patch, you’d have to research and create a patch yourself—assuming you were even aware of the vulnerability before your site was hacked
- Use stronger passwords. You can defend against brute force attacks by making your passwords hard to guess. Here are a few password guidelines from National Institute of Standards and Technology (NIST):
- Make it long, 12-16+ characters is good
- Avoid common English words
- Don’t use your username in your password
- Don’t use common password strings like 123, password, pass, etc.
- Use numbers and punctuation, but don’t just put a 1 or ! at the end (everyone else does that)
- Don’t reuse passwords. Why is it such a big no-no to use the same password for two websites? Data breaches happen all the time—more than 5 million records are hacked every day. Hackers then use these records to access other accounts. So if you used the same password on Yahoo that you use for your website, the hackers that got 500 million Yahoo passwords could use then easily access your website. And don’t think your password will be safe because hackers don’t have the time to sort through 500 million passwords. Today’s automated software can process millions of records faster than you can read this article.
- Install an advanced web application firewall (WAF). A “smart” web application firewall can detect and block attacks on your website.
- Review your code. If you’re using custom developed blog software, use the OWASP top 10 cheat sheets to review the security of your blog’s code.
- Minimize access permissions. The more users who have admin access to your blog, the more potential points. To minimize hacker opportunities:
- Remove users who no longer need access
- Only give users the access they need—if editor access will suffice, don’t give admin access
- Monitor logins so you know the IP address and username each time someone logs into your website
- Uninstall apps you don’t need. Websites tend to collect components over time—apps, plugins and themes that were installed but are no longer used. Remove all these components so they can’t be a possible vector for hackers to access your website.
- Back up your website. This won’t stop hackers, but it will make it a lot easier to fix/restore your website if it’s ever hacked.
- Protect your devices. Hackers often use trojans on your computer, tablet or smartphone to steal your website passwords. Ensure you’ve got advanced, up-to-date protection software installed on all your devices.
- Set up scans. Install a daily scanner to check your website for malware and vulnerabilities. This can alert you to an issue so you can react quickly to fix it.
- Have a response plan. While we’d like to think we could successfully fend off all attacks, the reality is a bit more grim. If you’re online, it’s likely you’ll eventually be hacked. Surveys indicate that 75%-90% of businesses are victims of hackers each year. Plan ahead:
- Set up alerts so you can quickly find out if any issues occur.
- Backup your website regularly, and keep backup copies for at least a week.
- Know who you can contact if your website needs repair, such as a web developer with hack repair experience or a cybersecurity team.
WHAT STEPS CAN I TAKE IF MY WEBSITE IS HACKED?
Even with the best security in the world, you’re never 100% safe from hackers. It’s an unfair game—to win, you have to defend every single vulnerability every second of every day, while the hacker only has to find a single vulnerability to exploit for a few seconds. So it’s imperative that you have a response plan in place in case your website does get hacked.
HERE ARE THE BASIC STEPS YOU’LL NEED TO TAKE TO DEAL WITH A TYPICAL HACK:
- Document the issue. Carefully record each indicator of a hack that you’ve seen, which pages are affected, etc.
- Change passwords immediately. Change all login details related to your website: FTP, database, WordPress, hosting control panel, etc.
- Scan your local computer(s). Hackers sometimes use trojans to steal website passwords from your local computer.
- Find and remove the hack. The hack will often be malicious code inserted into your site’s PHP files, or additional files uploaded somewhere on your site. Note that many hacks will have multiple components, for example, a backdoor access file, malicious code added to your website files and new files uploaded through the backdoor access. If you have a clean recent backup of your site, this can help to identify and remove the hack.
- Check and clear blacklists. Google and email service providers maintain blacklists of compromised websites. If your site has been added to one of these blacklists, you’ll need to get it removed.
- Change all your passwords again. Just in case the hackers got an updated password before you got the hack completely removed.
- Lock down your site. Go through the prevention steps and consider taking extra steps to protect your site.
Cyberspace is a battlefield. All we can do as bloggers is to take preventative action, stay alert and be ready to respond if an incident occurs.