How Do Websites Get Hacked Regularly – As much as the web has grown, surprisingly not a lot has changed in how websites get hacked.
The most important thing you can do in keeping the web – and your own sites and visitors – safe is to understand these unchanging truths and hold them close to heart.
Consider the Scale of Hacked Websites
1.2 billion sites make up today’s World Wide Web. Assuming a 3-second load time, continuous queries, and not a wink of rest, it’d take you over 160 years to just see every site that currently exists.
That’s a colossally large web, and it’s impossibly large to keep watch over. Google’s Safe Browsing attempts to warn users about unsafe websites. It currently delivers around 3 million warnings a day.
Of the sites scanned by our own technology, between 1-2% have some Indicator of Compromise (IoC) that signifies a website attack.
While that percentage may seem small, let’s extrapolate it across the total number of sites. It indicates that somewhere in the neighborhood of 12 million websites are currently hacked or infected. That’s about the size of the populations of New York City and Los Angeles combined.
Websites will always be a target for hackers. And the impact of a hack can be devastating to a business.
The good news? Although the threat is big, persistent and harmful, awareness of how hacks occur goes a long way to ensure your sites stay safe.
So, How Do Websites Get Hacked?
Over decades of web history, we see hacks almost always fall into three categories:
It doesn’t matter if you’re a Fortune 500 company or a local cupcake bakery, how hackers approach a target looks very similar.
What can vary is how a business let itself become exploitable in the first place:
For large organizations, I often hear something like, “I thought someone else was handling it.” There’s a fog that can naturally develop in complex organizations.
For small businesses, it often boils down to, “I don’t understand why anyone would even want to target me.” It’s easy to lose sight of just how much private info can be skimmed from even a simple site.
In both cases, hackers have the tools and incentives to act in areas where vigilance isn’t high.
A Website Environment Has a Lot Going On
Before we dig into the specifics of each form of hack, let’s set an important foundational point for how the web itself works:
Every website relies on a series of interconnected systems working in unison.
There are components like the Domain Name System (DNS) – the thing that tells requests where to go. There’s the actual web server, which houses various website files and processes requests. And there’s the infrastructure that houses various web servers and networks them to the internet.
As simple as it all ends up looking for users these days, the ecosystem underneath is still fairly complex.
Many of the individual nodes are provided by specialized service providers. And even if you’re getting a number of them provided by a single provider, there are still numerous parts that function uniquely. It’s similar to how a modern car looks streamlined and solid on the outside, but has all kinds of moving pieces making it run underneath the hood.
While I won’t dive into too many details about the threats that these particular elements introduce, please understand that every component has an impact on your overall security posture. They all potentially contribute to how your website gets hacked.
Access control speaks specifically to the process of authentication and authorization; simply put, how you log in.
When I say that, I mean more than just your website’s user login. Like we established in the previous section, there are a number of interconnected logins tied together behind the scenes.
Here are a few areas to think about when assessing access control:
How do you log into your hosting panel?
How do you log into your server? (i.e., FTP, SFTP, SSH)
How do you log into your website? (i.e., WordPress, Drupal, Magento)
How do you log into your computer?
How do you log into your social media forums?
How do you store your credentials for all these things?
Access control is easy to overlook, but each point can offer access to the whole system. Think of it like the person that locks their front door but leaves windows unlatched and the patio door unlocked. A secure front door won’t matter much if someone wants to get in.
Hackers also utilize a number of tactics to obtain access to insecure login points. To continue the analogy of home security: This looks like a thief checking all the potential entrances and sneaking – or straight-up conning – copies of your keys and passcodes.
Brute force attacks are the simplest – but can still be simply effective. The attacker attempts to guess the possible username and password combinations in an effort to log in as the user.
Social engineering attempts are growing in prevalence. Hackers build phishing pages designed to trick someone into entering an ID/username and password combination.
Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks entail intercepting user credentials via their own browser.
Man in the Middle (MITM) attacks are also fairly common, where your username and password are intercepted as you work via insecure networks.
Keyloggers and other monitoring malware track user inputs and report them back to the source of the infection.
Regardless of the style of attack, the goal is the same: Get direct access via logins.
Based on the typical site owner, I’d argue that 95% are unable to address today’s software vulnerabilities unless a security patch is recommended to them. Even everyday developers rarely account for the threats their own code introduces.
There’s an inherent philosophical disconnect between people who build sites and those that hack them. Builders – and honestly, most people – use things the way they’re designed to be used. But a hacker’s perspective looks for the ways to use things beyond how they’re designed.
A bug that may not affect the intended user experience in any way can potentially be exploited to make software do something very different than it’s intended. The sharpest hackers read these bugs as vulnerabilities.
The most common forms these take for websites? By using a malformed Uniform Resource Locator (URL) or POST Header, a hacker enacts a number of attacks. A few key examples:
Remote Code Execution (RCE) allows complete remote takeover of the target system and site.
Remote / Local File Inclusion (R/LFI) uses user-supplied input fields to upload malicious files into a system.
SQL Injection (SQLi) manipulates text input fields with malicious code that sends attack sequences to the server. This has been very common lately!
Just like asset control, software vulnerabilities also extend beyond the website itself, though. They can be discovered and exploited in all the interconnected technologies a site relies on (i.e. web server, infrastructure, and even web browsers). Most modern sites use a mix of third-party extensions – like themes and plugins. Every one of those should be considered a potential point of intrusion.
Think of it this way: All systems contain potential software vulnerabilities waiting to be exploited.
Third-Party Integrations / Services
Last but not least, we see exploits through third-party integrations/services.
Most prominently, these take form as ads via ad networks that lead to malvertising attacks.
These can involve services that you use specifically with your site and its hosting, including things like Content Distribution Networks (CDN) – as in a major Washington Post hack.
Third-party integrations and services themselves provide efficient interconnection between parts of your site-management experience – it’s one thing people love about highly extensible Content Management Systems (CMS) like WordPress, Joomla!, and Drupal. But there’s that tricky word again! Those points of interconnectedness also provide an additional point for hackers to exploit.
A big problem in the exploitation of third-party integrations and services is that they’re beyond the website owner’s ability to control. As a site manager or builder, you put a lot of trust in a third-party provider when you utilize a service integration. And many work diligently to secure the integration.
But like everything else, there’s an inherent risk here – and one that hackers have an eye on.
How to Protect Your Website
Feeling overwhelmed? Like it’s all hopeless?
Remember that half of the website security battle is awareness and education.
Just reading this post sets you up to better secure your sites. And I’m glad we were able to get this far together!
There are next steps, though. And our goal is to help you achieve those next steps. Unfortunately, it’s often only after someone feels the pain of a compromise that they diligently protect their sites and visitors.
So, I highly encourage you to get ahead of that pain and make these next points a checklist going forth.
My core recommendations to prevent hacks to your site:
Employ Defense in Depth principles. This means building layers of security like an onion: Each security practice makes it harder for hackers to get a clear shot into your system.
Leverage the Least Privileged best practice. Limit what each user login can access to only what it needs.
Establish Multi-Factor and Two-Factor Authentication wherever possible. This further secures those user access points.
Use a Website Firewall. This works wonders in limiting the exploitation of software vulnerabilities. (Focus on Known and Unknown Attacks.)
Schedule regular Backups. Try to have at least 60 days available, so you can safely “rewind” in case your site is compromised.
Get perspective from search engines. Google Search Console and Bing Webmaster Tools both provide reports on their view on your site’s security.
I always tell website owners that security is about risk reduction not risk elimination.
Understand that there’s no such thing as a 100% solution to staying secure. Almost all the tools you employ within your environment aim to reduce your overall risk posture – whether it’s continuous scanning or a more proactive approach such as mitigating incoming attacks.
Security is not a singular event or action, but rather a series of actions. It begins with good posture, and that responsibility ends with you.
Now that you know the How, you will inevitably come across one of the scenarios I described above. But recognizing those attempts will help you prevent and remediate them.
A Little Tasks To Do : Back Up All Your Data
Today is World Backup Day. This date was created to remind people of the importance of having backups set up for everything that matters. I am pretty sure your website falls into the category of precious digital assets.
Why are website backups important?
Imagine waking up in the morning to see that a couple of calls were missed and your email is overloaded with messages saying that your website is down. You go to your computer to check your server and it’s working fine – but oh no, all your files are deleted from the database. What would you do?
Backing up everything may seem a boring task, however, website backups can be a life saver.
Website backups represent your safety net. They are the critical piece of security necessary if all other resources fail.
Backups & spare tires
Every car has a spare tire even though it usually is something you never use and forget about. Spare tires tend to be hidden in some obscure cavity of your trunk or strapped to the underbelly of your vehicle. Nevertheless, having a spare tire allows you to drive without fear, knowing that when you do have a flat tire, you also have a safety net.
We can think of website backups in the same way. They are your safety precaution for when your website has a problem and you have no idea how to fix it.
Just like having an extra tire, a website backup can help you recover your website after a security incident.
It’s important to have website security tools in place to protect your site from hackers, or to detect if a hacker has gained entry to the site. These tools, however, will not be enough if the hacker is able to gain access and overwrite or remove your files.
What is described above can be called the worst-case scenario. No matter what security tools you use, the risk of being hacked is never going to be zero. If it happens to your website, even a great website security platform can’t restore broken or missing content without you having a backup solution implemented in the first place.
Once your website files are overwritten or deleted, there is no way to recover them unless you have a backup. In that regard, backups are in many cases, a lifesaving solution.
What do website backups do?
Backups make a complete copy of website files and your database on a daily basis (the default frequency) so that the website owner can restore their website to the state it was previously. Nevertheless, backups should not be the only security measure taken.
Though backups revert your site content to the last backup made, any content uploaded in between time will be lost. Also, backups cannot be used to fix the originating problem or prevent your website from reinfection.
That is why we recommend that you take a proactive role in website security. Protect your website with a Website Application Firewall so that your site does not get hacked in the first place.
Why Are Backups Important?
Backups were designed to recover your system to its last known good state, or configuration setting.
In a this webinar on preventing data loss with backups, we explain how backups enhance your security strategy and why it shouldn’t be considered a replacement for having a website security solution
How can I choose a good website backup solution?
Here are the main requirements you should look for when choosing a backup solution:
Location: off site
We often see customers saving backups on the web server in zip files that read: backup_xxxx.zip.
Unfortunately, that is not a good option. Attackers can delete these zip files easily if they gain access to the environment.
As is everything else in an unprotected web server, backups can be infected with malware.
Off-site backups are a smart solution because not only do they protect your stored data from hackers, they are also protected from hardware failure.
Automation: so you don’t have to remember
Our daily lives are very busy. It can be easy to forget about creating a backup, or postpone the task because a backup was done a month ago.
However, if you generate a lot of content, we suggest creating a backup schedule that matches your website update needs. This way, you never run the risk of losing any of your important website content. By doing so, you also decrease the amount of backups, if you tend to update your website less frequently.
When searching for a backup solution, bear in mind that automation is a must. Backups that are not automated cannot be 100% guaranteed to get the job done.
Redundancy: backups in multiple locations
A good backup strategy needs to have redundancy, meaning, have backups of your backups. When it comes to preventing data loss, two spare tires is always better than having one.
Testing: make sure your website backups work
Nobody wants to find their spare tire flat when they need it most. To avoid this with your files and data, we advise you to test your backups and make sure they work well.
Follow these simple steps:
Use a test domain,
Open an empty web directory,
Use your backups to retrieve your lost data,
Get your website online using the backup files.
The website backup solution
In order to help our customers have an efficient and affordable backup solution, we have created our own Website Backups product.
The benefits of the Backup include:
File system backed up over FTP, sFTP or sFTP (SSH-key)
Database auto-detection for well known CMSs like WordPress, Joomla, vBulletin, Magento, Drupal
Download backups from the dashboard
Automatic backup schedule: daily, weekly, or monthly at specific time
Alerts on failure to backup
Skip directories if needed
Backups organized by date
Off-site storage in the cloud infrastructure
Platform agnostic configuration for any website
Full initial backup of all your website files
Retain backups for 90 days
Restore complete backup by date
Quick and easy recovery process
One of our latest Backups update is the One-Click Auto Restore feature that makes restoring backups a quick and simple task.
Our customers asked for a Selective Auto Restore feature in our Backups Solution. We have just implemented this new feature that enables auto restore for selected files without restoring the full website.
When your website has been reconfigured and an initial backup has been created, you can easily restore your website in just a few clicks from the Backups Dashboard.
Our remote disaster recovery solution is currently available to website owners using the Platform or Firewall. The backup service is platform agnostic, allowing it to support websites built on any technology. It operates seamlessly in the background, providing continuous backups at whatever frequency desired.
No matter which website backups solution you choose, make sure to have one. It is better to have a plan if the worst-case scenario happens to your website.