Getting hacked sucks. It’s scary and confusing. The most common question I hear is, “Why would a hacker want to hack my website?”. And the answer is, “It has nothing to do with you or your business.”
If They Are Not Targeting Me, then Why my Website?
The person trying to hack your website is not targeting “your” site. They are targeting a weakness in your websites code. (Exceptions to this are large corporations and government entities. Hackers do target these.)
A modern website is like an operating system. They use a content management systems (CMS) to organize and design the website. When a weakness is discovered in a CMS a hacker can write code that targets the specific flaw (not a specific website), and when found, gain access to sites using the flawed code.
It’s not uncommon to have 10K’s of sites hacked, all at once, by a single bit of hacker code. Yikes.
Why Do Hackers Hack?
A lot of hackers hack for sport. They see it as a challenge – as something to be conquered. I suppose there is a bit of bravado involved in it too.
Hackers can hack for religious reasons, political reasons or to make a name for themselves within the hacking community. Corporations and Governments will also employ hackers for spying activities.
Hackers can have malicious intent and can cause serious damage to your website. For many, the ultimate goal is to get money. Holding websites for ransom is becoming a common occurrence on the web. Double yikes.
How do Hackers Access my Website?
For the most part, a hacker is looking for a way in by
- accessing control through login pages
- opening files and/or executing code through software vulnerabilities
Here are some of the most widely used forms of hacking:
Access Control: This is typically done by “brute force” attempts to access a websites admin area by guessing the admin username and password. This is automated by code that can try thousands of username/password combinations. Tools exist that allow hackers to decipher even the most complex passwords.
SQL Injection: In essence, SQL is your websites database. A hacker can try to access your database by entering code into form fields on your site or through the browser address bar. Successful injections can delete, change, add or steal information stored in your database. SQL injections are hard to discover and remove.
Remote File Inclusion (RFI): If a hacker can gain access to your files then they can plant malware onto your site. This is one of the most common forms of hacking and can end up infesting your entire websites filing system.
Remote Code Execution (RCE): If your CMS has a hole in it, then a hacker can simply execute code targeting the vulnerability to gain access and control of your site.
What can Hackers do to my Site?
When a hacker gains access to your website there is a myriad of things they can do. It’s important to know that once they gain access, they can pretty much take control of your whole site. Here are some common things hackers do:
Vandalism: A vandal will simply replace some of the content on your website with their own propaganda. The defacing often comes with a political or religious message attached to it. Consider yourself lucky if this is the extent of your damage.
Plant Malware: Malware can be used to track passwords, infect other sites, send out spam emails, delete files or steal information.
Hold the Site for Ransom: this is a form of malware that blocks access to your site until you pay a fee to regain control.
DoS Attack: This is when hackers try to flood a target with so many user request that the websites server gets overwhelmed and crashes. Your site may not be the target, but it may be a source of the request.
How to Protect your Website from Hackers
Keep your CMS, theme, plugins and add-ons up to date. This is not too difficult to do, but does require regular maintenance of your website. If you are a Web 907 client and have any Managed Hosting package, then this is being done for you.
Install security plugins. There are a number of third party plugins that can help prevent hackers from accessing your website. They provide firewall protection, file change detection and sometimes IP blocking.
Harden your website. This involves removing access to files that are typically available to any user. For example, a WordPress websites admin login is at yoursite.com/wp-admin. This is no secret. So, change that to yoursite.com/mylogin-hero (or whatever) so automated hacking code can’t find it. Some security plugins offer “hardening” of your website.
Back up your site regularly. This won’t prevent a hack, but it will allow you to restore your site if indeed your site is rendered useless from a malicious attack. If you are a Web 907 client and have any Managed Hosting package, then this is being done for you.
Get a firewall. One of the best protections you can have is a good firewall service. Free ones work OK. But paid services work better and also include malware remediation in case of infection. If you are a Web 907 client and have “Premium” Managed Hosting, then this is being done for you.
Final Thoughts and Recommendations
Website security is a complex and ever changing environment. Hackers are always one step ahead. But knowing what is at risk and taking preventative measures can save you from an embarrassing hack that looses you time and money.
At the very least, keep your website up to date and back it up regularly. This will likely ward off the majority of hacking attempts. But if you really want to sleep easy, pay for a premium firewall service that includes malware remediation. If you’re not sure what you need, then contact your web developer to help you with your security decisions.
Nothing is 100%, but you do have the ability to keep the odds in your favor.