Everyone knows when a website has been hacked, right? It will have a message saying 'hacked by' – right? Wrong.
The scars might be invisible to the average site visitor and the owner not even know their website has been compromised. Think that little old New Zealand minding it's own business isn't a target? Wrong again.
How do you know if your website has been a victim of an attack ? How do you fix it? And more importantly, how do you prevent it having serious repercussions for your business?
Firstly, there is nothing you can do to stop a determined hacker getting into your website if they really want to. So think in terms of not IF your site is hacked – but WHEN. And then on that basis, you can decide how to reduce the risk and how to minimise the disruption if it does happen.
Open-source systems like Joomla and Wordpress are often targeted, and this has lead to some people mistakenly believing that these systems are inherently “insecure” because they are Open Source.
The simple truth is that ANY system if not correctly configured and maintained is insecure. In fact, Open Source software tends to have security issues resolved far faster than proprietary software.
Hackers tend to target websites powered by common content management systems (CMS) like Joomla, Wordpress, Drupal etc. because there are a lot of websites built using these systems. And sadly, many of them get built and set up by people who have no idea how to correctly secure them.
There are many ways to compromise a website - so all sites are targets regardless of the technology used to build them.
Proof of this can be seen in recent high profile organisations that have had their websites and/or systems compromised:
Microsoft, Twitter, Facebook, NBC, British Airways, home depot, Ebay, Adobe, AOL, UbiSoft, Evernote, Sony Pictures and the Greek Government1 have all been victims of a security breach
As we said, it's not a case of IF – but WHEN.
Understanding the 'how' and 'why' is useful to be able to implement the 'what' to reduce the risks to your business.
Common ways to hack a website
Without going into the technical detail, here are a few ways a website can be compromised:
- Lax passwords – The easiest and most common method. We have seen sites where the administration user-name and password was “admin / admin” or some equally easy to guess combination that takes almost no effort to crack. Hackers simply throw thousands of password combinations at a site, based on a list of words (like the dictionary), in a short space of time till they find the right password.
- SQL Injection – This involves entering computer code into web forms, e.g login fields and contact forms, to access and manipulate the database behind the site. This can allow a hacker, for example, to add themselves as a user, then simply login and make whatever changes they want to.
- Cross Site Scripting - enables attackers to inject client-side script into web pages viewed by a user. This technique leverage’s vulnerabilities in web applications to fool a user usually for the purpose of gathering their data (such as private information) or executing malicious code on their system.
- Exploiting broken authentication and session management - allows attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
- DDoS, (Distributed Denial of Service) Attacks – This is where is where a web server is made unavailable by bombarding it with hundreds or thousands of requests in a very short space of time. This causes a bottleneck and makes the site unavailable. While not a hack as such, they are increasingly common and can take a website down for days at a time.
- Exploiting known software flaws – No software is completely secure or bug free. Hackers will often target known security flaws in website software looking for out of date code that hasn't been updated with the latest security fixes or "patched". Keeping your sites software up-to-date is critical.
And these are only a few of the ways!
Why do they do it?
- Financial gain – the most common reason, there are many ways the unscrupulous can earn money on the back of your hard work. This could be by stealing information like customer account passwords or credit card information for their use or for resale. They may hijack your website and hold it up for ransom, asking for money to reinstate it. A common tactic is to redirect visitors to gambling or pharmaceutical sales websites. Adware is malware is designed to place unwanted advertisements on your website.
- Dodgy SEO – placing back-links from your site to another, in order to improve the other site's search ranking. You may not even be able to see these links as they can be hidden in the code.
- Stealing Intellectual property – such as the source code of your software for them to replicate and resell. Or they could scrape your entire site and replicate it on another domain (again, not a hack but a serious issue none the less).
- To use your site as a slave for their own nefarious purposes - hackers need a website or websites to store their malicious files. They won't use one that can be traced back to them, naturally. So they will hack a vulnerable website, loading their own malware onto it. Then, when they send out spam, place links or ads, unsuspecting people download the malicious files from your website. If your site has been compromised in this way your hosting provider may shut your site down – without warning.
- Fun and bragging rights - Some people hack sites for fun, just to deface the site or most likely just to tell their hacker-buddies “look how smart I am”. We don't accept the excuse that they do it to raise awareness of slack security practices.
How do you protect yourself2
Fixing a hacked site is not just a matter of removing the offending code or kicking an unauthorised user out. And even if you do fix it, if you don't resolve the reason they were able to do it in the first place – they could simply come back and do it again.
So, how do you lower the risk to your website and therefore business?
- Have secure passwords. This means a password that is not a real word (vulnerable to dictionary attacks) but a combination of letters and numbers. Your users may complain their password is hard to remember, but it's your website that will end up getting hacked.
- Keep regular backups – this is essential if you are going to recover from a serious breach.
No backup copy means your website may have to be rebuilt from the beginning. It can be more expensive to locate (assuming it can be found hiding in millions of lines of code) and remove malicious code, than to rebuild a site from scratch. Having a backup will mean you don't have to start again - and so is much quicker and cheaper (and less of a heartbreak) - Keep your software up to date. It may seem obvious, but ensuring you keep all software up to date is absolutely vital in keeping your site secure.
This applies to both the server operating system and any software you may be running on your website such as a CMS.
When website security holes are found in software, hackers are quick to abuse them.
If you are using a managed hosting solution then you don't need to worry so much about applying security updates for the operating system as the hosting company should take care of this.
If you are using third-party software on your website such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues.
WordPress, Umbraco and many other CMS's notify you of available system updates when you log in. - Make sure you remove any unused extensions or plugins from your site because they are unlikely to be kept patched. It seems prevalent in Wordpress to have inactive plugins left on the site (maybe it's just the one's we've seen).
- Monitor activity – to detect any dodgy activity for example repeated incorrect login attempts from the same IP address. Some monitoring systems will compare the files on your site with a previous version to see if there has been any changes.
You may have to block persistent efforts from whole countries because hackers will simply move to a different set of IP addresses to get around any IP blacklisting. - Make sure your developer knows how to 'harden' your system.
Depending on what was used to build your site, there are a range of security hardening techniques that will help prevent some of the most common attacks. They are the equivalent of putting anti-burglar locks on your windows and sliding doors.
They are unique to each system so we haven't listed them here but include things like managing permissions and making use of the .htaccess file. Things many newbie or unskilled web developer will miss or just not bother with - and we see this regularly. So make sure security is on your requirements list.
Why you should care
If you are serious about your business you will have a website. And that website, if it's effective, is a powerful and important marketing tool for your business. If your site is compromised or inaccessible it will not only become ineffective as a marketing tool it could irretrievably damage your brand.
1 Source: Worlds biggest data-breaches, hacks
2 Essentee's managed clients get regular backups, software updates, security hardening and monitoring of their website as part of our Management Packages.